He writes that the phone had the things he wanted most, and while browsing doesn't need a keyboard, writing book chapters and blog posts is painful on a phone screen – hence the painstaking effort to hack the laptop into a keyboard for the phone.“I use the phone for multiple interfaces, yes VNC, but more often using my laptop’s keyboard to interface to the phone’s existing apps, Termux (to SSH into my laptop), Chrome, Gmail, Whatsapp, etc.”Sorry to say, part A is always going to be painful – actually starting the laptop blind – and with a tiny screen area working he could remember how to get to the Linux desktop and a terminal screen.“By a huge stroke of luck I had the extra good fortune to have two text lines worth of working pixels at the top of the screen. Well I say working, they didn’t automatically update, I had to sort of twist the screen with my hands and at some point they’d decide to update.”
To present the laptop's login interface via the phone, he had to install an OpenSSH client (also a blind install), and here's an important lesson for everyone: “always setup an SSH daemon with a strong password on a new laptop”.
For “normal” operations, though, Buckley-Houston wanted to get the laptop's keyboard working as a Bluetooth keyboard to the phone.By now, though, he's got a screen – so it was just a matter of testing various packages to see which worked best, and settling on one called Hidclient.The Register won't be trying this ourselves any time soon, but we're sure some of our readers will want to top this experience. We're always listening. Security startup MedSec and the financial house backing the biz have published new allegations of security flaws in pacemakers and defibrillators built by St Jude Medical – and again look set to profit from the disclosures in an unorthodox way.In four swish videos, the MedSec team claims it exploited a debugging backdoor in the St Jude-built Merlin@home control unit so it could send commands wirelessly to a patient's defibrillator. The team were able to hijack the the control unit after reverse-engineering its software, written in Java, and hooking a laptop to the unit via Ethernet.MedSec claims it could do away with the Merlin@home all together, and wirelessly send orders to people's devices in their chests from software-defined radio kit, after working out St Jude's protocols.Using the compromised terminal, the team says it managed to make the defibrillator vibrate constantly, turn off its heart monitoring software, or get it to administer a mild electric shock, which the actor narrating the video describes as "painful, and can be detrimental to a patient's health if used in an unprescribed manner."MedSec's CEO Justine Bone explained to The Register that the team had used a hacked MedSec device because it was the easiest route to show deficiencies in the device. By using old debugged developer code left on the device by the original designers, they were able to take control of it.
"We believe that this could be done from any wireless attack platform once someone had written out all protocols," she said. "It's going to be very hard to fix; you'd have to rewrite the RF communication protocols."Some of the attacks, particularly if used in conjunction with each other, could put lives at risk. But she acknowledged that in tests so far the maximum range of the defibrillator was limited to seven feet, so an attacker would have to be up close and personal.Bone also said that the MedSec team hadn't contacted St Jude Medical about the flaws before releasing the videos, and had instead gone to the Food and Drug Administration and the Department of Homeland Security. Bone said this was because St Jude doesn't have a good record of sorting out flaws like this.St Jude confirmed to The Register that MedSec hadn't passed on any details about the flaws, and made the following statement:
"Muddy Waters and MedSec have once again made public unverified videos that purport to raise safety issues about the cybersecurity of St Jude Medical devices. This behavior continues to circumvent all forms of responsible disclosure related to cybersecurity and patient safety and continues to demonstrate total disregard for patients, physicians and the regulatory agencies who govern this industry."The company is also setting up a Cybersecurity Medical Advisory Board to give it tips on how to build more secure products. However, it appears as though it's mostly staffed by doctors, who aren't the best for finding sloppy software holes.The whole sorry saga started in August when MedSec found what it claims were flaws in St Jude's devices. Rather than go to the manufacturer and sort these out, the firm partnered with financial house Muddy Waters and shorted the stock before going public with the news.The security firm now gets a payout based on how far St Jude's stock price falls – the more the better. St Jude and others have disputed the claims, and St Jude is now suing those involved in the disclosures. People who have St Jude devices implanted have been left panicked and confused by the whole matter.
In the meantime, many in the security community are worried that this kind of disclosure is just going to increase fear, uncertainty, and doubt in an industry sector already bedeviled with it. If short selling becomes the norm, then headlines rather than fixes will become the goal, and it's difficult to see how that benefits end users. HP Inc has disclosed pricing for HP Workspace, the Windows app-streaming service that allows its new Elite x3 business phone to fully replace a PC.Although Universal apps on Windows 10 mobile apps can adapt to run fullscreen with a keyboard and mouse, Workspace is needed to run legacy Win32 apps, which don’t run natively on ARM devices such as the x3. Workspace streams the apps to the Elite x3 at 15fps, sufficient for most business applications.The per-user monthly pricing is $79 and $40, depending on how much Win32 you need. Both packages give you a dedicated two-core vCPU. $79 buys you 8GB of virtual machine RAM and 80 hours per month, and unlimited apps. The more basic “Essential" tier aimed at “mostly mobile” workers buys you a 4GB RAM virtual machine and 40 hours of app streaming a month, limited to up to 10 apps.This isn’t cheap, but as Windows watcher Steve Litchfield points out, it’s cheaper than paying an in-house IT team to sit around all day, setting fire to the bins.And you can blame Microsoft for the pricing. VDI (virtual desktop infrastructure) as a service can be found cheaper via AWS, but Microsoft still sets a floor price.