0
kelk1

Neptune programming API

Recommended Posts

Quote

Indeed. I do actual work, and put up with the IT security trolls as little as possible. Too many of them live in the ivory towers and have no appreciation for productivity.



That's a pretty broad generalisation, isn't it? Some IT security people have their heads in the clouds, therefore every IT security person's viewpoint is useless?

Share this post


Link to post
Share on other sites
Nice insult about my work, thanks.

Look, I open a post with "because I looked into this myself, and Im bored and want to rant a little."

It's not my fault that my post went over most peoples' heads. I'm sorry that you dont get it. I'm sorry that theoretical security exploits seem outlandish and silly to most of you. Feel free to not respond to my post, there are enough people who DID understand my intent and what I was talking about, your responses clearly indicate that you didnt.

Rightly or wrongly people place trust in their equipment. Any weakness in that equipment should be discussed openly, and passionately. Hell there's 260+ posts in a discussion with many of them from people who thought that a cypres would magically know if a person was swooping or in freefall and want the company to admit that they screwed up.

My mistake was not realizing that those outside of the technology mindset would misunderstand the content and context of my post and go on the defensive.

TV's got them images, TV's got them all, nothing's shocking.

Share this post


Link to post
Share on other sites
" Hmm, not very well informed on the workings of the Neptune and some misplaced allegations w.r.t Alti-2 IMO. " Absolutely, I've done nothing more than read the available documentation at this point. Perhaps you'd like to provide the information which you're obviously in possession of so we can discuss this as equals?

"Yeah right, ask any car manufacturer for the protocol to mess with the engine management system..." So now you're saying that Alti-2 should adopt the attitude of General Motors? Yeah, as mentioned, there's major pressure on them to release that information to third party mechanics as it puts them out of work. The manufacturer is also encrypting the system which makes attempting to circumvent it illegal under the DMCA act.

Talking about TSO's misses the point. You obviously think you're equipped to discuss this topic so why even argue from a point of view you know is irrelevent to the original point: that of ownership rights. I can understand the non-technical people using this example incorrectly, but please! The same with cars, people build kit cars themselves and do their own restoration - often outside of the original standards. It is clear that you completely misread or misunderstood my original examples, so lets simplify them:

If you buy a electronic mouse trap and take it home you have the right to modify that mouse trap to make it work better (or worse). Was that simple enough for you?


"And business reasons aren't valid reasons?"
OF course they are, but Alti-2 never claimed business reasons. They stated outright that they can't release the protocol because it would allow the user to change the hardware. My god, I develop commercial applications! At least I have the balls to say 'no, Im not opening this up because it's MINE!' not some weak excuses that simply raise more questions. Did you actually read the original post I made or are you channelling my dead self from the future and I'm misquoting myself in the past?

"This is a serious allegation to make where you suggest Alti-2 makes an unsafe product. "

No, I said they made an INSECURE PRODUCT. Try paying attention, it'll be less frustrating for us both.

"Well, just write a script that exports the data from Paralog to awk or whatever you fancy."
No. You're once again missing the point.

"BTW you don't regard it questionable to decompile and reuses someone elses intellectual property? "
Hmmm no. It's done on a daily basis by companies all over the United States. It was bought up as a half serious remark in the interests of education. Reverse engineering for compatibility is legal and standard operating procedure. Taking paralog, rewriting it and rebranding it and reselling it - yeah, that's pretty unethical. Decompiling it, learning what I can from it and then writing my own application I have no issue with. Decompiling it, learning what I can from it, writing a specs document and giving it to a coder friend and then selling the finished product I dont find unethical either.
"That is not what I read: it says that if you were using your own protocol, you could inadvertently change some settings which could have safety implications. "
You're reading it wrong then. What THEY said was:
"Neptune not only has the capability of downloading jump data, it is also an upgradeable device. In other words, it is possible to write new data to Neptune. On one hand this is a great feature which allows users to always have the latest version of code. On the other hand, Neptune code and/or user settings can be corrupted if misused, potentially creating a dangerous situation. For this reason the communication protocol is proprietary. " - paraphrased: Since our protocol allows you to change things within the neptune programming we cannot allow the end user to have information about it. (this is called 'security via obscurity' and NEVER works, ask Microsoft and numerous other commercial closed systems vendors).

"Trivial? Probably. Just go ahead... I think you imagination has run a little wild here. The Neptune isn't wide open. You can't just go around zapping it. You'd need some physical intervention to update the settings and updating the firmware needs some more work. Tamperproof enough for me. " And no one will ever need more than 64k of RAM. Please explain to me why it's not wide open in detail, I'd love to hear it. I'm only basing what I said on Alti-2's own documentation. Sorry if you know more than I do. The fundamental flaw is the ability to upgrade the unit without the unit providing an integrity check or validation function (and as the owner of a neptune that died during a flash upgrade I know this to be true) leaves the unit open to abuse - albeit a small window. From what I can see crashing the unit requires initiating a data connection, getting through the handshake and then hitting it up with some invalid data.


I remember seeing some guy getting attacked for talking about ways to sabotage rigs with exactly the same type of illmannered vehemence. Just because you think it unlikely doesnt mean it can't be done.

Cracking hardware and software is as easy as cracking businesses. Just because you have issues comprehending why or how doesnt mean others have similar issues.

" There is always the possibility that someone would take the trouble to place a doctored firmware on the Alti-2 server. " Ok, so you can imagine someone hacking the webserver but not the device itself? ok.....:S

"Reverse engineer to your heart's content, but I fail to understand why you expect Alti-2 to make the comms API public" As you continue to miss the point in a way that leads me to believe that you're either misreading what I wrote, somewhat incompetant or completely out of your depth in this discussion - my statement contained no expectation, only an amicable solution that might be acceptable in a perfect world.

Please feel free to PM me with any further "analysis" of my statements. You may also want to review this for next time.:P

To those engineers, programmers, hackers and geeks that have contributed to the discussion and understood my intent, thank you.

TV's got them images, TV's got them all, nothing's shocking.

Share this post


Link to post
Share on other sites
Quote

Nice insult about my work, thanks.



It was a tit for tat response that you invited.

Quote


Rightly or wrongly people place trust in their equipment. Any weakness in that equipment should be discussed openly, and passionately. Hell there's 260+ posts in a discussion with many of them from people who thought that a cypres would magically know if a person was swooping or in freefall and want the company to admit that they screwed up.



The posting volume there is related to the fact that at least a significant minority believe the cypres is akin to training wheels on a bicycle. There have been many AAD wars before.

Share this post


Link to post
Share on other sites
Quote

There is always the possibility that someone would take the trouble to place a doctored firmware on the Alti-2 server. " Ok, so you can imagine someone hacking the webserver but not the device itself? ok.....:S



Most people's neptunes aren't accessible to a foreign infrared transmitter. There is just enough concern of theft that these items are typically kept on the wrist, or in a pocket, or inside the helmet. Wouldn't stop a discreet thief, but likely to end up as it did for that guy at WFFC.

OTOH, lots of people stay up top of the firmware updates as Alti-2 has steadily improved the product. You could hit a lot of people without the risk of getting your ass kicked.

Share this post


Link to post
Share on other sites
Quote

Quote

Nice insult about my work, thanks.



It was a tit for tat response that you invited.



I'm beginning to realize that you're not capable of discussing this. My comment wasnt an insult, it was a simple statement: you found the entire thing "ridiculous" and I pointed out why that was. I'm sorry if you felt I was being derogatory by making an assumption that you dont work in the same industry based on your reaction.

I've also realized that this isnt the place to discuss this sort of stuff, which is a greater shame in my opinion, considering how many technical people frequent this forum and what a free flow of information might have resulted in.

TV's got them images, TV's got them all, nothing's shocking.

Share this post


Link to post
Share on other sites
Quote

If you buy a electronic mouse trap and take it home you have the right to modify that mouse trap to make it work better (or worse). Was that simple enough for you?



So go ahead, I'm sure you have that right with regard to any thing you purchase, including the Neptune. I'm just not sure that's it the manufacturers responsibility to make it easy for you, and that includes Alti-2.
"Where troubles melt like lemon drops, away above the chimney tops, that's where you'll find me" Dorothy

Share this post


Link to post
Share on other sites
It depends, personally I'd want it targetted to as few people as possible - thats assuming I'd want to meddle with the hardware (which I DONT, for those of you incapable of keeping score) far less likely to be detected in the short term. Compromising the primary download is usually discovered very quickly if previous intrusions show anything.

TV's got them images, TV's got them all, nothing's shocking.

Share this post


Link to post
Share on other sites
I'm sorry, did I wake up on a completely different f***** planet today!?!?!

I wasnt saying they should, I used cars and rigs as an example earlier. A bunch of people missed the point and started discussing the legality of changing cars and rigs.

TV's got them images, TV's got them all, nothing's shocking.

Share this post


Link to post
Share on other sites
Are you able to make your point without typing a diatribe? Frankly the long winded discourses you written cover get boring. Make it easy for us stupid people, be brief and to the point and take the emotion out of your posts.

In 3 short bullet points can you say what you want?
"Where troubles melt like lemon drops, away above the chimney tops, that's where you'll find me" Dorothy

Share this post


Link to post
Share on other sites
Before this goes over the edge into the abyss let me say the following. Wanting to write your own code or manufacturer your own version of something is not necessarily bad as long as it abides by the laws governing that type of work/product. However, a company that chooses to enter a business deal with another company has all the right to maintain the rights to their product and anything they deem to be proprietary in regards to their product and or process and doesn't have to make the "secret sauce" available to the masses. In some cases they may not be able to do so legaly due to previous agreements. That's business plain and simple. If you don't happen to share the same philosophy that the company does in how it manages it's property thats fine and dandy but don't expect them to hand you the key to the kingdom simply because you ask or think you can create a better mouse trap. I won't even get into the moral and legal ramifications of reverse engineering or outright hacking as that is a different topic and should have it's own thread entirely. If you think you can produce a better mouse trap then do so legaly on your own or find another company willing to share their "secret sauce" with you and allow you to make changes to it. Trying to address an issue like this without considering the business aspects and blaming or accusing the company for it's actions is shortsided.
"It's just skydiving..additional drama is not required"
Some people dream about flying, I live my dream
SKYMONKEY PUBLISHING

Share this post


Link to post
Share on other sites
Quote

To change the subject, does anybody knows how many jumps can be logged and if it is saved when I change the battery.
It seems that I can only review the details for the last 10 jumps, is that true? I think I remember reading that the demo version of the download sw can only take 20 jumps/book. What happens if there are 100 jumps in the unit? Are they lost?



http://www.alti-2.com/Neptune_Owners_Pages/Neptune_Docs/Nep%20Man%20-%20V7.pdf

A summary of your jumps is available (Menu > Log Book > Summary), which shows total jumps and total freefall time. Detailed jump logs can be viewed for the last 10 jumps, and can be reviewed on a jump by jump basis

The manual isn't very clear on this. What happens is if you're using Paralog, only the last 10 jumps on the Neptune will be able to be downloaded with the detailed profile / graph. On the Neptune, only the last 200 jumps will have details such as altitudes and date. I just checked mine and I have these for the last 255 jumps. After that, only the total number of jumps and total freefall time is still on the Neptune.

I've never lost any data changing batteries or updating firmware.

Once you buy the Paralog license set up for your Neptune, there are no software restrictions, but the Neptune has a limited memory. To get around this, either bring your laptop to the DZ, use another computer at/near the DZ, use the Pocket PC downloader, use the Palm OS companion, do less than 10 jumps a trip, or accept the fact that you might lose a few graphs.

Paralog and the Neptune are great. Both have given me quick responses to any questions I've had. Both are constantly improving their products and adding new cool features.
BASE 1224, Senior Parachute Rigger, CPL ASEL IA, AGI, IGI
USPA Coach & UPT Tandem Instructor, PRO, Altimaster Field Support Representative

Share this post


Link to post
Share on other sites
What I didn't hear from anyone who doesn't like Paralog was what they didn't like or what they would want changed . The same goes for those opposed to JAVA. What is it you don't like about JAVA? Paralog uses JAVA and is also the only datalogger on the market that works with ALL OS's(WIN, MAC, LINUX) to include PALM and smart devices as well as with all dataloggers( L&B, Alti-2, Parasport) on the market.

Just out of curosity, if you are upset with Alti not giving up their protocol why are you not upset with L&B not giving their protocol up?
"It's just skydiving..additional drama is not required"
Some people dream about flying, I live my dream
SKYMONKEY PUBLISHING

Share this post


Link to post
Share on other sites
I think Java is slow. It takes too long to load the VM. I would prefer writing my own then using someone else's. The only reason I focus on Alti-2 is because I own a Neptune. If I owned a Protrack I would focus on L & B. I am not upset with Alti-2, just disappointed with them on this one point. I would much rather put together my own version of Paralog, then when I feel that it is good enough I would possibly try selling it as an alternative to Paralog.


I would be happy to sign a nondisclosure agreement. But that was never offered.

Share this post


Link to post
Share on other sites
Paralog is not as universally compatible as you suggest. I haven't been able to make Neptune/Mac OS 10.4/Paralog work, and, to the best of my knowledge, neither has Klaus.

I'd like to hear from someone who is successful with ProTrack/Mac OS 10.4/Paralog. I'm skeptical, because the RS232-USB adapter makers claim compatibility only with "OS 8.6 and above" which I'm not convinced includes OS 10.

Mark

Share this post


Link to post
Share on other sites
I wasnt upset with them. I use a neptune so I only care about manipulating that. Everyone else got caught up in the neptune hardware issues.

Please dont misunderstand wanting to write your own tool with not liking Paralog. Paralog seems very nice but I personally find it clunky and overdone. That is my personal taste, I am lucky in that I have the skills to build my own software that fit my own tastes rather than having to 'make do'. As a platform Java's just offensive technically for a number of reasons. Not the least is compatibility issues, a need for a VM, responsiveness, resource hogging. Thats excluding any aesthetic and design issues.

From a hacking perspective (in the 'likes to learn stuff' way) it's always difficult to understand why any vendor wouldnt make interoperating with their hardware easier.

Considering the lip service paid to the 'community' aspects of skydiving it's even more confusing as to why any small, customer focused company would wanto to restrict their users to ONE software package - regardless of the business or technical reasons why. As a geek it doesnt really make much sense. Even a little applet that let you grab the raw data would be fine - cripple it, obfuscate it. Just dont force me to use someone elses product to do such a trivial task.

On the flip side: i've started documenting the protocol, I have a great deal of reading to do but it doesnt seem too obscure so far.

To clear up any confusions: I do have a neptune. I really like my neptune. I have looked at Paralog and think it's a nicely written piece of software if thats your thing.

I'd go further but I realize that some people have issues with following longer posts.

TV's got them images, TV's got them all, nothing's shocking.

Share this post


Link to post
Share on other sites
Don't let it trouble you, they just don't get it.

The saddest part is that the original security through obscurity argument is complete bullshit, and a device like this should have an open data read protocol and protected firmware. That said there are a lot of easier ways to kill yourself or someone else.

Compared to the pain of reprogramming this device snooping the wire is totally trivial so the original argument offered for keeping this obscure seems utterly ludicrous, but lucid thought is not compulsory.

I wouldn't dream of touching an alti's firmware but I wouldn't hesitate to read the log data.

All this aside if binary only was their issue (that's not even secure even without snooping the protocol) they could have trivially written an abstraction API over a binary interface library that only read log data and they'd be no worse off than a shipping application that reads the log.

It takes a really gifted:S engineer to look at this problem and conclude you have to rewrite everything from the ground up or hand the protocol secretly to a monopoly 3rd party to exclusively add it to their software. It's just complete engineering tosh.

Share this post


Link to post
Share on other sites
Quote


Considering the lip service paid to the 'community' aspects of skydiving it's even more confusing as to why any small, customer focused company would wanto to restrict their users to ONE software package - regardless of the business or technical reasons why.



I don't see where they're restricting it to one package. If anyone wants to work with the Neptune, I'd imagine you just need to talk to the right people. Personally if I was running Alti, my first instinct wouldn't be to open up an API to the type of person who's going to run to an internet forum and complain, rather than contact me and discuss the issue.

As for paralog, I don't use it simply because the Neptune support isn't available under Linux. They offered to give me a free license if I wanted to try to get it to work under Linux, but I really didn't have the time to tinker with it. Even so, I thought that was a really fair offer from them.

These companies are very reasonable to work with, you just have to be reasonable with them.

Share this post


Link to post
Share on other sites
One package = paralog.

The FAQ on thier site says they wont give out the API.

No one ran anywhere to complain, it was a theoretical discussion of the type found on any technical forum but with added non-technical people misunderstanding some of the conversation.

TV's got them images, TV's got them all, nothing's shocking.

Share this post


Link to post
Share on other sites
Quote

Personally if I was running Alti, my first instinct wouldn't be to open up an API to the type of person who's going to run to an internet forum and complain, rather than contact me and discuss the issue.


I assume this is me, so I will answer this one:
I first asked the question here to see if there was an obvious answer but immediately sent a message to Alti-2 when I saw the amount of replies. The answer from Alti-2 was very friendly, but bears the fearful "The information in this email is confidential and may be legally privileged. It is intended solely for the addressee."
Anyway, I hope I still can quote part of it: "For now, we have an agreement with Paralog for Neptune communication protocol that we intend to honor."
I totally respect that, so I forwarded this message to Paralog, cc Alti-2 asking if they would mind opening the protocol. The answer from Klaus Rheinwald was very quick, written at past 8PM for him: "if I understand the attached emails and the statement on their web-site correctly, it is Alti-2's decision not to publish the protocol."
Klaus' answer was also cc'd Alti-2, so I hope to hear back from them sometimes soon.

As far as I can read, I am not the only one who would not disagree with a bit of change. Also, I never thought about the security issue because I do not use the Neptune as a primary altimeter and I doubt anyone would ever do that (tampering), but there is a valid (if theoretical) point here. That would suck if someone changed your alarms without you knowing it ;)

To beowulf ("I would much rather put together my own version of Paralog, then when I feel that it is good enough I would possibly try selling it as an alternative to Paralog"), I was more thinking of a simple free program that let you download, upload and maybe read the log book for a start. Anybody would still be free to sell it in anycase. Maybe for a donation to a Fund For Free Crutches.

I am everything but a diplomat and I don't have much hope. However, I will post updates if anything moves...

PS: Isn't that funny that the spell checker does not know about altimeters?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

0