Exploring the Tivax STB-T9 Digital Converter
Over the last few months, I’ve been in charge of setting up some people with digital converter boxes. At the end of that process, I came away with one for myself- the Tivax STB-T9.
Unlike many of the boxes, the Tivax has a serial port on the back of it that can be easily accessed. A few adventurers on the AVS forums started exploring what could be done with the box, and a good amount of my knowledge of the box came from those fine folks. That thread is here: Tivax STB-T9 EPG
My aim is to expand what’s known and what can be done.
To access the serial port, you’ll need a serial cable (RS-232), null modem, and a serial to USB or plain serial cable. Open up your terminal program (Hyperterminal, minicom, gtkterm, other terminal emulator), and set options 115200,8,N,1. You may see a Zmon> prompt depending on if the box is in standby mode or not.
The embedded OS, called ThreadX, is surprisingly helpful, and filled to the brim with every kind of information you could want- try help for a list of commands, and help all for a list of commands+syntax/and or examples.
A few general notes about the system. The history command only shows the most recent commands entered in by the user over serial; the list is reset every time the box enters standby or is powered off.
Any change that is made that isn’t written to the firmware disappears when the box goes into standby or is unplugged.
There is a huge amount of debug & diagnostic information available, much of which suggests disabled functionality or inaccessible features, and points to this being a stripped down version of another product. Sadly, there’s not much that can be done with this information other than look at it and hope.
This brings me to something else you should know about the box: it has two states: extremely verbose and cryptic. The amount of debug information and capabilities is truly impressive- but the error messages (or return messages) border on cryptic/useless for some commands.
Below I’ve included all the remote key codes (which can be found by pressing a button, and noting what hex number shows up on the console). Underneath that, there’s a way to access all the remote features using just the serial port.
IR codes:
standby: 0×9A KEY_NEC_POWER
mute: 0×98
vol+ : 0xB2
vol- : 0×8A
guide: 0×70
info: 0×48
channel +: 0xB0
channel -: 0×88
menu: 0xA2
exit: 0xA0
up arrow: 0×60
left arrow: 0×5A
right arrow: 0xD8
down arrow: 0×68
ok button: 0×58
1: 0×4A
2: 0xA
3: 0×8
4: 0×6A
5: 0×2A
6: 0×28
7: 0×72
8: 0×32
9: 0×30
0: 0xF0
pre-ch: 0xC8
- : 0xE8
signal: 0×52
aspect: 0×12
caption: 0×10
audio: 0xD0
The entire remote’s functions are available thru the zir command.
zir [key]
key:
menu (menu)
exit (exit from menu)
v- (volume down)
v+ (volume up)
p+ (program up)
p- (program down)
sel (select/enter)
mute (mute)
up (up)
dn (down)
l (left)
r (right)
last (last channel)
pow (power)
info (information)
Guide (Guide)
Last (Last Channel)
Aspect (aspect ratio)
Text (-)
cc (subtitle)
Audio (Audio)
Signal (signal strength)
AudioLR (Audio LR)
Fav+ (Fav Up)
Fav- (Fav Down)
Freeze (Freeze)
A few examples:
To change to channel 7-1: zir 7-1
To change to the next channel: zir p+
For aspect ratio, and subtitle, if you want to access one of the later modes, you have to type it in several times until you reach your desired mode.
Tips & Tricks:
How to stop the No Signal logo from bouncing around:
td NosignalLogoTask
zir 0
How it works:
td kills the task named NosignalLogoTask
This stops the bouncing, but the logo is still onscreen, and the easiest way I know of now is to just change the channel.
zir 0 changes to an invalid channel, and since the channel doesn’t exist (and can’t exist) it will always flip back to the last valid channel.
Hidden menus: (From the AVSforum Tivax STB-T9 thread)
This can be accessed thru the remote or by using the commands on the serial port.
By remote:
Press mute, then one of the following 4(!) digit codes
9878 FE information- more in-depth, continuously updated debug info.
9877 Hardware version pops up on screen- no menus, just a dialog box.
9876 Factory set menu. This includes a factory firmware reset option, which will come in useful if you manage to hang the box or write an invalid sequence to disk.
By serial:
Type zir codenumber
The call tracing system:
There’s a builtin call tracer called tltrace. It can show you what functions are triggered by functions and actions.
Here’s the tltrace help:
Usage: tltrace <modules> <priorities> <nestinglevel> {time} {task}
<modules> is the OR of the following mask bits:
Mask Name
0×00000001 Display
0×00000002 Video
0×00000004 Transport
0×00000008 ARIB Topology (Not used)
0×00000010 Audio
0×00000020 Graphics
0×00000040 Video Control Task
0×00000080 BLT
0×00000100 Base Services
0×00000200 Utils
0×00000400 ARIB Verifier (Not used)
0×00000800 SI/PSIP
0×00001000 CHMap
0×00002000 CtrlArray
0×00004000 GPIO
0×00008000 I2C
0×00010000 IR
0×00020000 Power (Not used)
0×00040000 SPI (Not used)
0×00080000 Timer (Not used)
0×00100000 Video User Proc
<priorities> is the OR of the following mask bits.
Mask Priority
0×01 Priority 1 – Important, Rarely used calls
0×02 Priority 2 – Less important, internal calls
0×04 Priority 3 – Commonly used calls
0×08 Priority 4 – Very commonly used calls
<nestinglevel> is the maximum nesting level to trace or -1 for all nesting levels
{time} is the time in seconds to trace, or 0 for no time limit
{task} is the task name to trace, or leave blank for all tasks
tltrace – with no parameters disable tracing
tltracehelp – This message
tltracestatus – display trace status
I’ve used this to track writes to different values (you’ll want to use tltrace 0×00002000 0×0F -1 , which tracks everything involving CtrlArray, which is the save/load code.), and in attempting to get feedback on my attempts at writing directly to some variables.
The way that should update values with the set command is set index value. You can find the index and acceptable values by doing view. I have not been able to successfully use the set command- there’s a report on the AVS forum thread about the box that by changing index 35 to a non-0 number, it will effectively lockup the box, and require you to enter the factory menu to reset the firmware.
Things I Want To Figure Out:
The universal remote code for the box- I went through every code listed on my Jumbo Universal Remote, and tried the code assigned to the standby button above- nothing.
How to change directly to a specific aspect ratio/closed caption mode- I can set the values, and the index is changed, but nothing changes on screen.
New Generation of Malware
AmbiguicCoherence
Well, I know I haven’t written anything in a while. I’ve been caught between a wall and a hard place as they say. Whether to write something that has any relevance to what I do at work, or to write about the world of security or the underground. Software – to follow up with any other post, as in operating systems or new applications that could easily change our efficiency or productivity.
In the security world, I’ve been slacking with my software. My personal fix to easily and completely help out everyone who sends me HijackThis! logs. you might see these in “help me” forums. I have people email me them and I tell them what’s wrong with their PC’s and how they can fix it – without spending an arm and a leg at a retail store and then be told to reformat. Because that should be the last option. I don’t see it being reasonable to have people on support teams without any knowledge of computer support. It doesn’t make you an IT guy or girl if you can install software and run a scan. My grandmother can actually do that. And she’s 87. So, I write an antivirus stinger tool. not to brag, I’ve got more files identified than some major antivirus firms in regards to major viruses (viri) or worms (Storm Worm for example). I meddle in both “hats” as you may have read before, but I won’t share some of my sources unless the law calls for it. My software deals with multiple programming languages but I’m not going to change it or simplify it to one language unless I figure out an easy way to manipulate the OS. Like I said, I’m behind in updates so I can’t write about that.
What I’ve decided to do is write a short blurb about a recent debugging/disassembling accident of mine. I ran into a fancy piece of malware on a chinese website. I was looking for a file, no comment on what it is or why. But, upon dasm, once again, like i’ve done in the past, have hit the wrong shortcut key – i know other people have done the same, and it’s a beginner mistake OR an adv to expert mistake on very minimal sleep. So, upon unloading, this stupid thing blew out the firmware in my router and manipulated the winsock registries. I’ve got a lot of registry experience : both manipulating it, and pushing things through it to change the windows experience… but, the quickness this thing did it’s job and the fact that none of it remained attached to anything is worth writing about. Most worms attach to system files, and viruses manipulate system files and then spread that way. This thing set up a redirect within my routing tables to use a foreign server as a redirect/proxy and then use network traffic normally. So, unless really looking for it, it’s very easy to miss. My router incident is another story in itself, based on my logs, my computer DOS’ed my own router. I’ve got it setup (and the rest of my setup has multiple firewalls and vlans and what not, so unless you know it, you aren’t getting in) to limit my own traffic for specific applications, but an instant DOS attack that cleans up after itself is something new to me.
If you feel like commenting, please do so. If you’ve experienced this, let me know. I’m not going to share the file because I can flag it with every antivirus out there once it’s upacked.
Well, back to work. Hopefully I can get back into the habit of posting things for you all.
Life’s a rolling
AmbiguicCoherence
Well, it might look like we’ve become inactive- I can assure you that we’re not. MountSpyder and I have been really busy doing that work aspect in our lives. I’ve got a few long posts sitting in the draft queue just begging me to finish them. But for updates on what we’ve been looking at and the posts I should have written in the last month – this is what I would have talked about:
Windows 7 is still on the down-low, but as far as posted updates on the underground I’d have to summarize and say a little bit of linux, a little bit of the XP aura, and a little bit of the Microsoft Surface gui. And yes, Vista is still crap.
Intel’s atom processor is making headway to new personal media devices and shrunken laptops – looks good because there is competition and we all know competition fuels better technology.
Verizon put out an IT investigative report in the last few weeks – gives a little better insight on the misconceptions of hacker attacks and how people need to be less scared. “If you aren’t running a credit server, your personal files aren’t of interest.” And “Antiviruses can only handle old definition viruses. These newer real application malware programs are overlooked – and they are what’s really annoying people and cause the problems”.
The MountSpyder and I are going to start brewing our own beer.
Bot nets are still in existance, the spreads usually grow upon holidays; which is when most people click on all those email type cards. Malware applications tied into them like the storm worm or the multi-application, multi-protocal chaos trojan which I’ve been tracking for the last two years are both still around. Which brings me to another topic: I haven’t had the chance to roll out my latest updates on MY antivirus program.
Windows XP Service Pack 3 was released and rereleased all damaged – Office 2007 compatibility packs deleted My Documents folders which contain Office 2003 files – oops? Yea, could have been a two page article.
We’ve got another author for the blog, who can’t think of a handle for himself. But his posts will aliven our linux side.
The world faces a real inter-network problem in the next year. The bandwidth drain is probably going to kill the whole thing. Which then means an internet-3 line will have to be created so the rest of us can overtake the internet-2. A quick link to what I’m talking about.
I’m in the middle of building a cluster at work to do finite element calculations – but the software we need it for limits us to Suse 10.0 : which isn’t bad in itself, but it being old forces an on going search for the old repositories that I need to compile the software. So if anyone has any ideas, I’d love them to be thrown my way. And this link is why I have no problem using Suse.
Apple is still in the dumps about security issues with leopard- ever since the quicktime vulnerabilities were released on the net, it’s all been a wild downwards spiral. A little info to back me up here. And it’s also confirmed by my Pwn2Own post.
We’ll see what comes next. Hopefully we’ll find some time in our schedules.
Are They Nuts?!
Ambiguic Coherence
I worked a long week. I have work to do tonight and tomorrow. None of that matters. The Vole is at it again. June 30th is now the cut off date for XP support. Who remembers the Vista Upgrade Advisor. It didn’t work for upgrades or fresh builds. Eliminate support by next April too. Crazy. That’s what it is. The transistion from 3.x to a start menu in 95 was one thing. It was an essential upgrade. No more boxes on our ‘workspace’. Besides security, usb 2.0, driver support, and fancy features, the progression through 98, 2000, (not ME, ever), and XP was seemless. I don’t want vista. I beta tested it. I don’t care for it. An OS does not need to be that resource intensive. I’m not doing 3D modeling while surfing the internet. I don’t need fancy menu bars to do simple tasks. When it was code named Longhorn, I was alright with it because it gave more organizable features for media and the like. Vista only offers us problems as power users. Security errors and broken updates. One thing was good. One thing – ALSR. I’ll give them that much. If April comes and 7.0 isn’t out, I’m returning to Linux. That’s it.
Pwn2Own – and the Macbook Air Falls
Ambiguic Coherence
I don’t know how many of you follow things like BlackHat, DefCon or even Hope. But besides conferences like those and ethical.hackers, there are things out there like the Thawte contests and the almighty 0Day Pwn2Own. $10,000 prize and the pirates’ booty of the conquered territory. This time around the zero day initiative made a tempting offer (that I truly wish my team was prepared for so I too could have participated) to take down 3 laptops – the Catch? A Macbook Air, A Linux Box, and A Vista Box. All three were up to date laptops.
Day 0, for some of you that’s Day 1, but for the point of it all, rockets launch at the end of the countdown, not on 1. 0Day exploits had to be used. Then the rules differed a bit. Day 1 (day 2), Charlie Miller of ISE (whom I should’ve applied to last summer) took down the macbook air in 2 minutes. Now, for all you mac enthusiasts out there, why the heck would you want one now? Go buy the x300 I was talking about before, it’s better anyway. Back to the current topic- Hacker Glory. Sure, if the week was longer, the linux and the vista laptops would have been exploited too, but that happens on a daily basis (and there probably was lack in preparation for those), hell, I would have just brought stuff to take out the air myself.
I give Charlie Miller props. But I give his coworkers props as well. ISE, the guys who found flaws in the electronic voting machines. I’ve got to hand it to them, though, America won this contest.
I’ll retire and hope that ISE is still around to hire me. – Maryland Represent.
Macs are Unhackable” – 2 minutes. Haha. Glory is the fall of a Mac.
A Brief Overview of Linux Video Card Drivers
Robinton
This article should serve as an overview of Linux graphics card drivers.
The major vendors’ graphics cards perform no different under Linux then they do for Windows: AMD/ATi, Nvidia, and Intel. Each vendor though, has a different way of providing their Linux drivers: Open source, closed source binaries, or a mix of the two.
Nvidia:
They provide closed-source binaries for their cards, as well as a basic open source 2D driver. If you are looking for solid performance from your cards, and want to play 3d games with good frame rates, Nvidia is your best choice. They provide a full-featured control panel which supports virtually all of their features: i.e. Twinview or Xinerama setups for multi-monitors, power management features, full card info, AA and AF tweaking and overrides, and if you have CoolBits available, you also have overclocking options at your fingertips.
Their open-source driver is a basic 2D driver that is heavily obfuscated. As a result, Nvidia is more or less the only contributor. An alternative to these 2D drives is the Nouveau open-source driver. It aims to handle 2D and 3D acceleration for all but the oldest of the Nvidia line. Currently it does 2D operations very well, but there is extremely limited 3D support for GeForce 6 and 7 series cards. Their website is: Nouveau
Intel:
Intel’s chipsets are all currently integrated motherboard gpus, and do not perform nearly as well as AMD’s or Nvidia’s graphics cards. Their cards all have open source drivers. Recently the register guides for the 965 and G35 cards were released, which cover all aspects of the card including 3D operations. These should all work out of the box nearly flawlessly.
More information on the release of the register guides Intel releases docs on 965 and G35 IGPs
AMD/ATi:
Unlike the other two brands, this is a story of change. What follows is a somewhat long summary of their drivers and position towards Linux. Bottom line: Their older and ancient series cards are very well supported, and can exercise nearly as much of their functionality as they ever will. The R500 and R600 (X1000 and HD series) are supported decently by the closed-drivers, and open-source support is shaping up to be quite good, and will only get better, but right now, if you’re looking for open source drivers, anything above midrange is buying for the potential it has to offer, rather than what it can do now. Unless Nvidia does something in the next 6 months to a year, they could be demoted to second choice after many, many years of being #1.
How did we get to this position? A long, long time ago (back in the time of R200- the 9xxx series) AMD/ATi were supportive of the Linux community, and provided documents under Non-Disclosure Agreements (NDAs) for the, then, current cards. As a result, drivers were quite good, and were able to perform very well under Linux. Then something changed, and the documentation dried up.
We’ll call this period “The Dark Ages”. Without official support, there were two choices: reverse engineer everything and add it to the current open-source driver, or use the closed-source driver FGLRX.m This period formed many people’s opinions of ATi, and created perceptions of the company and its product that are hard to shake even to this day. Things were so bad that you wouldn’t bother advising anyone with a new ATi card to install Linux because the drivers were so crappy; in fact, if you wanted to run Linux anyway, you’d almost have to go get a new card- either one of the old, well-supported Radeon cards, or an Nvidia card, which had excellent closed-source drivers.
Fast-forward to 2007, and on the surface, it appeared that nothing would really change: reverse engineering was still the order of the day, and the FGLRX drivers were still widely regarded as crap: they worked, but each had its share of bugs, and regressions might strike at any time, and the performance just wasn’t there. A new driver release that year did in fact bring massive gains for the newer cards, but it also had its share of problems, and wasn’t nearly as good for older card owners. Then AMD started to drop hints about helping out the open-source community in early September:
AMD: Accelerating Open-Source Drivers?
Given ATi’s history, the community at large was understandably skeptical, especially since they’d been burned before when support dried up and left them to fend for themselves. Then in less than two weeks, it went from talk, to NDA-free specifications, to an actual release of specifications. It definitely turned heads, and even more so when the officially-supported RadeonHD open-source driver was released to the public. Since then, more specifications have been opened, and AMD has a public representative from their team on Phoronix’s forums to talk about any and everything related to the driver and AMD’s intentions for the future, as it pertains to the open-source community.
What he’s been saying has been very encouraging: they are looking to open up as much as they legally can, and are actually planning future models (beyond what’s currently out), so that the Unified Video Decoder stuff is not tied to the DRM module as it currently is. This would be incredibly awesome to say the least, as it would mean hardware decoding of all current and future video formats would be possible, as opposed to just MPEG-2 video.
The Radeon driver (open-source) currently provides support for nearly all but the newest lines, and should be available in your distributions package manager. RadeonHD on the other hand is best compiled from source to make sure you get the latest features, and also because the released versions become old very quickly as new features and bug fixes are added.
My thanks to Phoronix for their one-of-a-kind coverage of the Linux graphics card field, because without them and their tireless coverage of the topic, there’s no way this article could have been written. I’d also like to thank John Bridgman from AMD who’s spent a considerable amount of time on the Phoronix forums talking to posters and answering questions as best he can.
Rainbow Tables
AmbiguicCoherence
Everyone knows that a faster, more efficient way of solving a problem is usually better.
[Unless you get paid by the hour of course]
It should be common knowledge, at this point in the computing era, that passwords are not stored in plain text on a computer. You can’t simply do a search off the start menu (for those window’ users out there). Side note: I use all operating systems, including UNIX, so don’t start with any of that OS battle crap. Where was I?, Passwords are stored in encrypted strings of characters called Hashes, with a specific length, pattern, and style – usually generated with an equation or sorts. Billions of possible combinations can be generated and each combination of characters represents a unique decrypted word.
One of the most common forms of password decryption is to brute force a password. This method is like trying to break down a door or better yet, trying to pick a lock. The shortest way to describe this method is to try, starting with a to zzzzzz if you are trying a 1 to 6 character in length password (alpha only for those of you who know far to well more than what I’m haphazardly writing in this blog, just trying to k.i.s.s.) and trying every possible password in between. The main problem with this method is that it takes far too long and far too much processing power to guess a long password quickly. Curious? Look up Brutus AE or Jack the Ripper.
Another common technique is to use word lists. A word list is, you’ve guessed it, a very long list of commonly used words. On average, I’ve seen lists of 20million words or more used, roughly a 50mb text file. This technique is less accurate in terms of ‘guessing everything possible’ than brute forcing, but can take a lot less time. Curious? Look up Access Diver or anything by Seven (good luck there).
At this point, I’m going to avoid making this sound like a hacker’s blog because it’s probably not allowed on WordPress. And I’ve been out of the scene for quite some time now. (Many ‘a Hat Color) I’m just trying to throw out some answers to those many questions that “the rest of us” know without going into much detail.
Now that I’ve given two other examples of what Rainbow Tables might be used for, I’ll go ahead and talk about them.
… And yet another work week has passed …
We start with a password in plaintext. Using a hash function, we convert it through a one-way equation to make a long hash of it. A hash function’s job is to prevent a reversal of itself. So that if ABCD – > 1234, we couldn’t run the equation backwards and do 1234 -> ABCD. Something like this would be far too simple. Hash cracking basics suggest that can either produce one hash at a time (like brute forcing) – producing one hash at a time and trying it against the one we’re trying to break. Or precalculate the hashes for a dictionary, load them into memory, and find the one we want. The trouble with this approach, no one has the computing power or memory capacity necessary to run an application to search a list of that magnitude.
Next, we use what is known as a reduce function – or reiteration from abbreviation (which is a term I learned in a machine level programming class). A reduction function takes a converted hash, truncates it, produces another hash from that simpler hash, and continues the cycle with that hash. When a rainbow table is produced, it takes this reduction function and runs with a single plain text or several and stores the chains. Each chain can represent millions to billions of hashes. Each table has a single plain text and a single ending hash. The following is a general procedure of the Rainbow Table algorithm:
Step one: Of all the chains produced, compare the hash you are trying to break with all the end hashes. If it matches, then that chain contains the original hash and in turn the plain text. If it doesn’t match, reduce the hash and continue the process. Upon identification of the needed chain, we use use the plain text at the start of that chain to figure out the original plain text of the unknown password.
Step two: start rehashing and reducing that starting plain text while remembering the reduced part of the previous hash and the newly generated hash from that iteration. This is so that, after we generate a new hash during that loop, if it matches the hash we have, then that reduced hash from the previous loop in in fact the plain text of the password we are searching for. And Viola, password found (not cracked, because we did no cracking or attack).
To avoid false positives, multiple reduction functions are used in our table in the different chains. This greatly increases the probability of finding the correct plain text. A rainbow table set that is approximately 120GB of all alpha-numeric-symbol, can usually find what you need. But, you’ll need weeks of time and a powerful resource hungry system to run it.
Thank you Dr. Phillipe Oechslin for writing the white paper on rainbow tables. I’m glad I had my EE degree handy so I could understand it. [ http://lasecwww.epfl.ch/philippe.shtml ]
few quotes
AmbiguicCoherence
“Someday, there will be no workers, only artists.” -Seeker1
“This is how it works. Whatever you sink, we build back up. Whomever you sue, ten new pirates are recruited. Wherever you go, we are already ahead of you. You are the past and the forgotten, we are the internet and the future.”- brokep 20.8.07
“How far are we gonna take this… The question is not how far. The question is, do you possess the constitution, the depth of faith, to go as far as needed?” -Boondock Saints
“Not even norton can protect you”- “Retaliation, retribution, revenge, call it what you will, but it is a sad day in a person’s life when he/she fucks with a hacker.” -The Amish (prologue from jinx)
“Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…
Damn kids. They’re all alike.
But did you, in your three-piece psychology and 1950’s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world… Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…
Damn underachiever. They’re all alike.
I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”
Damn kid. Probably copied it. They’re all alike.
I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me… Or thinks I’m a smart ass…
Or doesn’t like teaching and shouldn’t be here…Damn kid. All he does is play games. They’re all alike.
And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found. “This is it… this is where I belong…” I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…
Damn kid. Tying up the phone line again. They’re all alike…
You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.” – The Mentor
Painters and Hackers
AmbiguicCoherence
The following was written by Paul Grahmn. It is a very insightful essay that outlines the key facts about hackers-Who we are, why we don’t like to be considered malicious and ho, as being power users, we really are just painters in an artistic world of technology.
[ http://www.paulgraham.com/hp.html]
May 2003
(This essay is derived from a guest lecture at Harvard, which incorporated an earlier talk at Northeastern.)
When I finished grad school in computer science I went to art school to study painting. A lot of people seemed surprised that someone interested in computers would also be interested in painting. They seemed to think that hacking and painting were very different kinds of work– that hacking was cold, precise, and methodical, and that painting was the frenzied expression of some primal urge.
Both of these images are wrong. Hacking and painting have a lot in common. In fact, of all the different types of people I’ve known, hackers and painters are among the most alike.
What hackers and painters have in common is that they’re both makers. Along with composers, architects, and writers, what hackers and painters are trying to do is make good things. They’re not doing research per se, though if in the course of trying to make good things they discover some new technique, so much the better.
I’ve never liked the term “computer science.” The main reason I don’t like it is that there’s no such thing. Computer science is a grab bag of tenuously related areas thrown together by an accident of history, like Yugoslavia. At one end you have people who are really mathematicians, but call what they’re doing computer science so they can get DARPA grants. In the middle you have people working on something like the natural history of computers– studying the behavior of algorithms for routing data through networks, for example. And then at the other extreme you have the hackers, who are trying to write interesting software, and for whom computers are just a medium of expression, as concrete is for architects or paint for painters. It’s as if mathematicians, physicists, and architects all had to be in the same department.
Sometimes what the hackers do is called “software engineering,” but this term is just as misleading. Good software designers are no more engineers than architects are. The border between architecture and engineering is not sharply defined, but it’s there. It falls between what and how: architects decide what to do, and engineers figure out how to do it.
What and how should not be kept too separate. You’re asking for trouble if you try to decide what to do without understanding how to do it. But hacking can certainly be more than just deciding how to implement some spec. At its best, it’s creating the spec– though it turns out the best way to do that is to implement it.
Perhaps one day “computer science” will, like Yugoslavia, get broken up into its component parts. That might be a good thing. Especially if it meant independence for my native land, hacking.
Bundling all these different types of work together in one department may be convenient administratively, but it’s confusing intellectually. That’s the other reason I don’t like the name “computer science.” Arguably the people in the middle are doing something like an experimental science. But the people at either end, the hackers and the mathematicians, are not actually doing science.
The mathematicians don’t seem bothered by this. They happily set to work proving theorems like the other mathematicians over in the math department, and probably soon stop noticing that the building they work in says “computer science” on the outside. But for the hackers this label is a problem. If what they’re doing is called science, it makes them feel they ought to be acting scientific. So instead of doing what they really want to do, which is to design beautiful software, hackers in universities and research labs feel they ought to be writing research papers.
In the best case, the papers are just a formality. Hackers write cool software, and then write a paper about it, and the paper becomes a proxy for the achievement represented by the software. But often this mismatch causes problems. It’s easy to drift away from building beautiful things toward building ugly things that make more suitable subjects for research papers.
Unfortunately, beautiful things don’t always make the best subjects for papers. Number one, research must be original– and as anyone who has written a PhD dissertation knows, the way to be sure that you’re exploring virgin territory is to to stake out a piece of ground that no one wants. Number two, research must be substantial– and awkward systems yield meatier papers, because you can write about the obstacles you have to overcome in order to get things done. Nothing yields meaty problems like starting with the wrong assumptions. Most of AI is an example of this rule; if you assume that knowledge can be represented as a list of predicate logic expressions whose arguments represent abstract concepts, you’ll have a lot of papers to write about how to make this work. As Ricky Ricardo used to say, “Lucy, you got a lot of explaining to do.”
The way to create something beautiful is often to make subtle tweaks to something that already exists, or to combine existing ideas in a slightly new way. This kind of work is hard to convey in a research paper.
So why do universities and research labs continue to judge hackers by publications? For the same reason that “scholastic aptitude” gets measured by simple-minded standardized tests, or the productivity of programmers gets measured in lines of code. These tests are easy to apply, and there is nothing so tempting as an easy test that kind of works.
Measuring what hackers are actually trying to do, designing beautiful software, would be much more difficult. You need a good sense of design to judge good design. And there is no correlation, except possibly a negative one, between people’s ability to recognize good design and their confidence that they can.
The only external test is time. Over time, beautiful things tend to thrive, and ugly things tend to get discarded. Unfortunately, the amounts of time involved can be longer than human lifetimes. Samuel Johnson said it took a hundred years for a writer’s reputation to converge. You have to wait for the writer’s influential friends to die, and then for all their followers to die.
I think hackers just have to resign themselves to having a large random component in their reputations. In this they are no different from other makers. In fact, they’re lucky by comparison. The influence of fashion is not nearly so great in hacking as it is in painting.
There are worse things than having people misunderstand your work. A worse danger is that you will yourself misunderstand your work. Related fields are where you go looking for ideas. If you find yourself in the computer science department, there is a natural temptation to believe, for example, that hacking is the applied version of what theoretical computer science is the theory of. All the time I was in graduate school I had an uncomfortable feeling in the back of my mind that I ought to know more theory, and that it was very remiss of me to have forgotten all that stuff within three weeks of the final exam.
Now I realize I was mistaken. Hackers need to understand the theory of computation about as much as painters need to understand paint chemistry. You need to know how to calculate time and space complexity and about Turing completeness. You might also want to remember at least the concept of a state machine, in case you have to write a parser or a regular expression library. Painters in fact have to remember a good deal more about paint chemistry than that.
I’ve found that the best sources of ideas are not the other fields that have the word “computer” in their names, but the other fields inhabited by makers. Painting has been a much richer source of ideas than the theory of computation.
For example, I was taught in college that one ought to figure out a program completely on paper before even going near a computer. I found that I did not program this way. I found that I liked to program sitting in front of a computer, not a piece of paper. Worse still, instead of patiently writing out a complete program and assuring myself it was correct, I tended to just spew out code that was hopelessly broken, and gradually beat it into shape. Debugging, I was taught, was a kind of final pass where you caught typos and oversights. The way I worked, it seemed like programming consisted of debugging.
For a long time I felt bad about this, just as I once felt bad that I didn’t hold my pencil the way they taught me to in elementary school. If I had only looked over at the other makers, the painters or the architects, I would have realized that there was a name for what I was doing: sketching. As far as I can tell, the way they taught me to program in college was all wrong. You should figure out programs as you’re writing them, just as writers and painters and architects do.
Realizing this has real implications for software design. It means that a programming language should, above all, be malleable. A programming language is for thinking of programs, not for expressing programs you’ve already thought of. It should be a pencil, not a pen. Static typing would be a fine idea if people actually did write programs the way they taught me to in college. But that’s not how any of the hackers I know write programs. We need a language that lets us scribble and smudge and smear, not a language where you have to sit with a teacup of types balanced on your knee and make polite conversation with a strict old aunt of a compiler.
While we’re on the subject of static typing, identifying with the makers will save us from another problem that afflicts the sciences: math envy. Everyone in the sciences secretly believes that mathematicians are smarter than they are. I think mathematicians also believe this. At any rate, the result is that scientists tend to make their work look as mathematical as possible. In a field like physics this probably doesn’t do much harm, but the further you get from the natural sciences, the more of a problem it becomes.
A page of formulas just looks so impressive. (Tip: for extra impressiveness, use Greek variables.) And so there is a great temptation to work on problems you can treat formally, rather than problems that are, say, important.
If hackers identified with other makers, like writers and painters, they wouldn’t feel tempted to do this. Writers and painters don’t suffer from math envy. They feel as if they’re doing something completely unrelated. So are hackers, I think.
If universities and research labs keep hackers from doing the kind of work they want to do, perhaps the place for them is in companies. Unfortunately, most companies won’t let hackers do what they want either. Universities and research labs force hackers to be scientists, and companies force them to be engineers.
I only discovered this myself quite recently. When Yahoo bought Viaweb, they asked me what I wanted to do. I had never liked the business side very much, and said that I just wanted to hack. When I got to Yahoo, I found that what hacking meant to them was implementing software, not designing it. Programmers were seen as technicians who translated the visions (if that is the word) of product managers into code.
This seems to be the default plan in big companies. They do it because it decreases the standard deviation of the outcome. Only a small percentage of hackers can actually design software, and it’s hard for the people running a company to pick these out. So instead of entrusting the future of the software to one brilliant hacker, most companies set things up so that it is designed by committee, and the hackers merely implement the design.
If you want to make money at some point, remember this, because this is one of the reasons startups win. Big companies want to decrease the standard deviation of design outcomes because they want to avoid disasters. But when you damp oscillations, you lose the high points as well as the low. This is not a problem for big companies, because they don’t win by making great products. Big companies win by sucking less than other big companies.
So if you can figure out a way to get in a design war with a company big enough that its software is designed by product managers, they’ll never be able to keep up with you. These opportunities are not easy to find, though. It’s hard to engage a big company in a design war, just as it’s hard to engage an opponent inside a castle in hand to hand combat. It would be pretty easy to write a better word processor than Microsoft Word, for example, but Microsoft, within the castle of their operating system monopoly, probably wouldn’t even notice if you did.
The place to fight design wars is in new markets, where no one has yet managed to establish any fortifications. That’s where you can win big by taking the bold approach to design, and having the same people both design and implement the product. Microsoft themselves did this at the start. So did Apple. And Hewlett-Packard. I suspect almost every successful startup has.
So one way to build great software is to start your own startup. There are two problems with this, though. One is that in a startup you have to do so much besides write software. At Viaweb I considered myself lucky if I got to hack a quarter of the time. And the things I had to do the other three quarters of the time ranged from tedious to terrifying. I have a benchmark for this, because I once had to leave a board meeting to have some cavities filled. I remember sitting back in the dentist’s chair, waiting for the drill, and feeling like I was on vacation.
The other problem with startups is that there is not much overlap between the kind of software that makes money and the kind that’s interesting to write. Programming languages are interesting to write, and Microsoft’s first product was one, in fact, but no one will pay for programming languages now. If you want to make money, you tend to be forced to work on problems that are too nasty for anyone to solve for free.
All makers face this problem. Prices are determined by supply and demand, and there is just not as much demand for things that are fun to work on as there is for things that solve the mundane problems of individual customers. Acting in off-Broadway plays just doesn’t pay as well as wearing a gorilla suit in someone’s booth at a trade show. Writing novels doesn’t pay as well as writing ad copy for garbage disposals. And hacking programming languages doesn’t pay as well as figuring out how to connect some company’s legacy database to their Web server.
I think the answer to this problem, in the case of software, is a concept known to nearly all makers: the day job. This phrase began with musicians, who perform at night. More generally, it means that you have one kind of work you do for money, and another for love.
Nearly all makers have day jobs early in their careers. Painters and writers notoriously do. If you’re lucky you can get a day job that’s closely related to your real work. Musicians often seem to work in record stores. A hacker working on some programming language or operating system might likewise be able to get a day job using it. [1]
When I say that the answer is for hackers to have day jobs, and work on beautiful software on the side, I’m not proposing this as a new idea. This is what open-source hacking is all about. What I’m saying is that open-source is probably the right model, because it has been independently confirmed by all the other makers.
It seems surprising to me that any employer would be reluctant to let hackers work on open-source projects. At Viaweb, we would have been reluctant to hire anyone who didn’t. When we interviewed programmers, the main thing we cared about was what kind of software they wrote in their spare time. You can’t do anything really well unless you love it, and if you love to hack you’ll inevitably be working on projects of your own. [2]
Because hackers are makers rather than scientists, the right place to look for metaphors is not in the sciences, but among other kinds of makers. What else can painting teach us about hacking?
One thing we can learn, or at least confirm, from the example of painting is how to learn to hack. You learn to paint mostly by doing it. Ditto for hacking. Most hackers don’t learn to hack by taking college courses in programming. They learn to hack by writing programs of their own at age thirteen. Even in college classes, you learn to hack mostly by hacking. [3]
Because painters leave a trail of work behind them, you can watch them learn by doing. If you look at the work of a painter in chronological order, you’ll find that each painting builds on things that have been learned in previous ones. When there’s something in a painting that works very well, you can usually find version 1 of it in a smaller form in some earlier painting.
I think most makers work this way. Writers and architects seem to as well. Maybe it would be good for hackers to act more like painters, and regularly start over from scratch, instead of continuing to work for years on one project, and trying to incorporate all their later ideas as revisions.
The fact that hackers learn to hack by doing it is another sign of how different hacking is from the sciences. Scientists don’t learn science by doing it, but by doing labs and problem sets. Scientists start out doing work that’s perfect, in the sense that they’re just trying to reproduce work someone else has already done for them. Eventually, they get to the point where they can do original work. Whereas hackers, from the start, are doing original work; it’s just very bad. So hackers start original, and get good, and scientists start good, and get original.
The other way makers learn is from examples. For a painter, a museum is a reference library of techniques. For hundreds of years it has been part of the traditional education of painters to copy the works of the great masters, because copying forces you to look closely at the way a painting is made.
Writers do this too. Benjamin Franklin learned to write by summarizing the points in the essays of Addison and Steele and then trying to reproduce them. Raymond Chandler did the same thing with detective stories.
Hackers, likewise, can learn to program by looking at good programs– not just at what they do, but the source code too. One of the less publicized benefits of the open-source movement is that it has made it easier to learn to program. When I learned to program, we had to rely mostly on examples in books. The one big chunk of code available then was Unix, but even this was not open source. Most of the people who read the source read it in illicit photocopies of John Lions’ book, which though written in 1977 was not allowed to be published until 1996.
Another example we can take from painting is the way that paintings are created by gradual refinement. Paintings usually begin with a sketch. Gradually the details get filled in. But it is not merely a process of filling in. Sometimes the original plans turn out to be mistaken. Countless paintings, when you look at them in xrays, turn out to have limbs that have been moved or facial features that have been readjusted.
Here’s a case where we can learn from painting. I think hacking should work this way too. It’s unrealistic to expect that the specifications for a program will be perfect. You’re better off if you admit this up front, and write programs in a way that allows specifications to change on the fly.
(The structure of large companies makes this hard for them to do, so here is another place where startups have an advantage.)
Everyone by now presumably knows about the danger of premature optimization. I think we should be just as worried about premature design– deciding too early what a program should do.
The right tools can help us avoid this danger. A good programming language should, like oil paint, make it easy to change your mind. Dynamic typing is a win here because you don’t have to commit to specific data representations up front. But the key to flexibility, I think, is to make the language very abstract. The easiest program to change is one that’s very short.
This sounds like a paradox, but a great painting has to be better than it has to be. For example, when Leonardo painted the portrait of Ginevra de Benci in the National Gallery, he put a juniper bush behind her head. In it he carefully painted each individual leaf. Many painters might have thought, this is just something to put in the background to frame her head. No one will look that closely at it.
Not Leonardo. How hard he worked on part of a painting didn’t depend at all on how closely he expected anyone to look at it. He was like Michael Jordan. Relentless.
Relentlessness wins because, in the aggregate, unseen details become visible. When people walk by the portrait of Ginevra de Benci, their attention is often immediately arrested by it, even before they look at the label and notice that it says Leonardo da Vinci. All those unseen details combine to produce something that’s just stunning, like a thousand barely audible voices all singing in tune.
Great software, likewise, requires a fanatical devotion to beauty. If you look inside good software, you find that parts no one is ever supposed to see are beautiful too. I’m not claiming I write great software, but I know that when it comes to code I behave in a way that would make me eligible for prescription drugs if I approached everyday life the same way. It drives me crazy to see code that’s badly indented, or that uses ugly variable names.
If a hacker were a mere implementor, turning a spec into code, then he could just work his way through it from one end to the other like someone digging a ditch. But if the hacker is a creator, we have to take inspiration into account.
In hacking, like painting, work comes in cycles. Sometimes you get excited about some new project and you want to work sixteen hours a day on it. Other times nothing seems interesting.
To do good work you have to take these cycles into account, because they’re affected by how you react to them. When you’re driving a car with a manual transmission on a hill, you have to back off the clutch sometimes to avoid stalling. Backing off can likewise prevent ambition from stalling. In both painting and hacking there are some tasks that are terrifyingly ambitious, and others that are comfortingly routine. It’s a good idea to save some easy tasks for moments when you would otherwise stall.
In hacking, this can literally mean saving up bugs. I like debugging: it’s the one time that hacking is as straightforward as people think it is. You have a totally constrained problem, and all you have to do is solve it. Your program is supposed to do x. Instead it does y. Where does it go wrong? You know you’re going to win in the end. It’s as relaxing as painting a wall.
The example of painting can teach us not only how to manage our own work, but how to work together. A lot of the great art of the past is the work of multiple hands, though there may only be one name on the wall next to it in the museum. Leonardo was an apprentice in the workshop of Verrocchio and painted one of the angels in his Baptism of Christ. This sort of thing was the rule, not the exception. Michelangelo was considered especially dedicated for insisting on painting all the figures on the ceiling of the Sistine Chapel himself.
As far as I know, when painters worked together on a painting, they never worked on the same parts. It was common for the master to paint the principal figures and for assistants to paint the others and the background. But you never had one guy painting over the work of another.
I think this is the right model for collaboration in software too. Don’t push it too far. When a piece of code is being hacked by three or four different people, no one of whom really owns it, it will end up being like a common-room. It will tend to feel bleak and abandoned, and accumulate cruft. The right way to collaborate, I think, is to divide projects into sharply defined modules, each with a definite owner, and with interfaces between them that are as carefully designed and, if possible, as articulated as programming languages.
Like painting, most software is intended for a human audience. And so hackers, like painters, must have empathy to do really great work. You have to be able to see things from the user’s point of view.
When I was a kid I was always being told to look at things from someone else’s point of view. What this always meant in practice was to do what someone else wanted, instead of what I wanted. This of course gave empathy a bad name, and I made a point of not cultivating it.
Boy, was I wrong. It turns out that looking at things from other people’s point of view is practically the secret of success. It doesn’t necessarily mean being self-sacrificing. Far from it. Understanding how someone else sees things doesn’t imply that you’ll act in his interest; in some situations– in war, for example– you want to do exactly the opposite. [4]
Most makers make things for a human audience. And to engage an audience you have to understand what they need. Nearly all the greatest paintings are paintings of people, for example, because people are what people are interested in.
Empathy is probably the single most important difference between a good hacker and a great one. Some hackers are quite smart, but when it comes to empathy are practically solipsists. It’s hard for such people to design great software [5], because they can’t see things from the user’s point of view.
One way to tell how good people are at empathy is to watch them explain a technical question to someone without a technical background. We probably all know people who, though otherwise smart, are just comically bad at this. If someone asks them at a dinner party what a programming language is, they’ll say something like “Oh, a high-level language is what the compiler uses as input to generate object code.” High-level language? Compiler? Object code? Someone who doesn’t know what a programming language is obviously doesn’t know what these things are, either.
Part of what software has to do is explain itself. So to write good software you have to understand how little users understand. They’re going to walk up to the software with no preparation, and it had better do what they guess it will, because they’re not going to read the manual. The best system I’ve ever seen in this respect was the original Macintosh, in 1985. It did what software almost never does: it just worked. [6]
Source code, too, should explain itself. If I could get people to remember just one quote about programming, it would be the one at the beginning of Structure and Interpretation of Computer Programs.
Programs should be written for people to read, and only incidentally for machines to execute.
You need to have empathy not just for your users, but for your readers. It’s in your interest, because you’ll be one of them. Many a hacker has written a program only to find on returning to it six months later that he has no idea how it works. I know several people who’ve sworn off Perl after such experiences. [7]
Lack of empathy is associated with intelligence, to the point that there is even something of a fashion for it in some places. But I don’t think there’s any correlation. You can do well in math and the natural sciences without having to learn empathy, and people in these fields tend to be smart, so the two qualities have come to be associated. But there are plenty of dumb people who are bad at empathy too. Just listen to the people who call in with questions on talk shows. They ask whatever it is they’re asking in such a roundabout way that the hosts often have to rephrase the question for them.
So, if hacking works like painting and writing, is it as cool? After all, you only get one life. You might as well spend it working on something great.
Unfortunately, the question is hard to answer. There is always a big time lag in prestige. It’s like light from a distant star. Painting has prestige now because of great work people did five hundred years ago. At the time, no one thought these paintings were as important as we do today. It would have seemed very odd to people at the time that Federico da Montefeltro, the Duke of Urbino, would one day be known mostly as the guy with the strange nose in a painting by Piero della Francesca.
So while I admit that hacking doesn’t seem as cool as painting now, we should remember that painting itself didn’t seem as cool in its glory days as it does now.
What we can say with some confidence is that these are the glory days of hacking. In most fields the great work is done early on. The paintings made between 1430 and 1500 are still unsurpassed. Shakespeare appeared just as professional theater was being born, and pushed the medium so far that every playwright since has had to live in his shadow. Albrecht Durer did the same thing with engraving, and Jane Austen with the novel.
Over and over we see the same pattern. A new medium appears, and people are so excited about it that they explore most of its possibilities in the first couple generations. Hacking seems to be in this phase now.
Painting was not, in Leonardo’s time, as cool as his work helped make it. How cool hacking turns out to be will depend on what we can do with this new medium.
Notes
[1] The greatest damage that photography has done to painting may be the fact that it killed the best day job. Most of the great painters in history supported themselves by painting portraits.
[2] I’ve been told that Microsoft discourages employees from contributing to open-source projects, even in their spare time. But so many of the best hackers work on open-source projects now that the main effect of this policy may be to ensure that they won’t be able to hire any first-rate programmers.
[3] What you learn about programming in college is much like what you learn about books or clothes or dating: what bad taste you had in high school.
[4] Here’s an example of applied empathy. At Viaweb, if we couldn’t decide between two alternatives, we’d ask, what would our competitors hate most? At one point a competitor added a feature to their software that was basically useless, but since it was one of few they had that we didn’t, they made much of it in the trade press. We could have tried to explain that the feature was useless, but we decided it would annoy our competitor more if we just implemented it ourselves, so we hacked together our own version that afternoon.
[5] Except text editors and compilers. Hackers don’t need empathy to design these, because they are themselves typical users.
[6] Well, almost. They overshot the available RAM somewhat, causing much inconvenient disk swapping, but this could be fixed within a few months by buying an additional disk drive.
[7] The way to make programs easy to read is not to stuff them with comments. I would take Abelson and Sussman’s quote a step further. Programming languages should be designed to express algorithms, and only incidentally to tell computers how to execute them. A good programming language ought to be better for explaining software than English. You should only need comments when there is some kind of kludge you need to warn readers about, just as on a road there are only arrows on parts with unexpectedly sharp curves.
Thanks to Trevor Blackwell, Robert Morris, Dan Giffin, and Lisa Randall for reading drafts of this, and to Henry Leitner and Larry Finkelstein for inviting me to speak.
programming questions
AmbiguicCoherence
Please don’t email me and ask me for any help debugging your programs. I really don’t care. I’ll look at hijackThis! logs so I can update MY software, but to waste my time debugging yours? Plus, I’m not signing any non-disclosure agreements if I’m not going to see a dime.
