[mythtv-users] Strange mythweb OT: Force Mythweb to mobile for iphone?

Jim Cuzella TrinitronX at gmail.com
Tue Jan 20 10:16:59 UTC 2009 

Chase Douglas wrote:
> On Jan 19, 2009, at 9:08 PM, Jim Cuzella wrote:
>> Brad DerManouelian wrote:
>>> On Jan 19, 2009, at 3:02 PM, Anthony Giggins wrote:
>>>
>>>> Off Topic, is it possible to force mythweb to Mobile to view nicely
>>>> on the
>>>> iphone?
>>>
>>> You don't like the current mythweb on your iphone? I kind of like
>>> it. :)
>>> If you want a mobile view, you can certainly choose the mobile
>>> template. Go to Mythweb Settings for Mythweb and change your template
>>> for your current session.
>>>
>>> In other news, a new template is being made specifically for the iPod
>>> (just noticed in trunk) and from what I see, it's really pretty.
>>>
>>> -Brad
>> Brad,
>>
>> How does this mythweb interface compare in your opinion to the MyMote
>> app?  I have experienced some issues with MyMote losing connection due
>> to my iPod Touch's auto-sleep feature.  Also, in my opinion, the
>> security holes introduced by changing to a default password & opening up
>> MySQL server to all IP connections are very risky, and ill-designed
>> (assuming I didn't miss something).  A short PIN number is NOT good
>> security, and easily brute forceable.
>
> I developed MyMote so I can explain a little bit about how I
> envisioned the security environment around it. MythTV uses an
> extremely insecure interface for remote control. Instead of doing
> crazy things like trying to provide the ability to tunnel connections
> over ssh, I realized that anyone who is using MyMote is almost always
> doing so on their own network. Thus, if you trust your router's
> firewall, you can feel safe enough to open up the MythTV remote
> control port. If you feel that safe, then you should feel safe enough
> to only open up your MySQL MythTV database to your own local network's
> address range, which usually consists of unroutable addresses anyways.
> There's virtual no chance of someone faking that from the internet
> unless they really REALLY wanted to find out what your keybindings
> were... So that leaves the security PIN interface, which again is
> firewalled from the internet. As long as you don't worry about someone
> getting on your network and brute forcing your PIN to MythTV, I
> wouldn't worry about it too much.
>
> So MyMote and MythTV security boil down to a few questions:
>
> 1. Do you trust that you can keep people off your local network?
> 2. Do you trust your firewall to keep people out of your local network
> on the MythTV XML and remote control interface ports?
> 3. Do you trust the people who do have access to your local network?
>
> All "yes" answers at a 99% confidence level are good enough for me,
> and I hope most people as well.
>
> P.S.: There's no need for some sort of default password to be set for
> MyMote to work. Also, any further discussion of MyMote is really OT to
> this topic as well, as MyMote and Mythweb have extremely little
> functionality overlap.

I understand your reasoning, however my problem is that I can't answer
yes to #3.  There are a bunch of other windows boxes on my network used
by.... let's say "not so tech-savvy" people.  I can envision some
scenarios where these machines could become infected with some sort of
malware looking for random ports to sink it's teeth into.  I admit this
is probably a not so likely scenario for windows malware to be looking
for open mythtv service ports.  However, the tradition of linux software
in general is to keep things securable, and it's possible that in the
future some local exploit could be found in MySQL to allow a little
insecurity here to turn into something much worse (and more tasty
looking for those writing malware).  These blended threats pop up all
the time, so my opinion is that it's usually the "Right Thing" to code
with security in mind.

Sorry, I didn't mean to keep this thread fork going too long, or to
criticize your app (I think it's still *really* cool by the way ;-) ). 
I've been wanting to get into some embedded development for a bit now,
and perhaps taking a look at this is something to put on my ever growing
list of things to do.  Alas, ...if only I didn't have to work on so many
projects at once right now for college, hehe.

Anyway, thanks for the cool app!
- Jim C.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mythtv.org/pipermail/mythtv-users/attachments/20090120/5f4ecd10/attachment.pgp>

More information about the mythtv-users mailing list