EU Cyber Resilience Act (MUST READ)

hatzisn

Expert
Licensed User
Longtime User
I do not know how to feel about this. A part of me as a user welcomes it, but a part of me as a programmer is cursing the European Union for making my life harder.
Cyber resilliance act is a regulation of the European Union to promote the cyber security of all products with digital elements. That is our creations as programmers whether this has to do with our software for devices or computers or microcontrollers or industrial applications.

Here is a relevant article that says it all:


According to the relevant article of publyon.com we have almost 4 years to adapt to this regulation but I believe it is better to know where you are heading from now and face what ever is to come in our way immediately. I believe so, that we have to face all the things from the beggining than to postpone for later something that can be done now. There is a law (I don't remember who introduced it) that says that a work tends to take as much as your available time for it. Let's reduce this time to a matter of months - a year at the top.

I think it's time to form a consortium to face it and lift the weights in the side of @Erel because if he will face everything by himself he will end up cracking and that may result for us in loosing his valuable support with B4X universe that helped us in our everyday work.

You can Google the "Cyber Resilience Act" and when you will get to the relevant page of the European Union download the proposal. In the annexes there are all the obligations of the various parts in the chain of software availability to the users either you are acting as a manufacturer/programmer, or a reseller etc.

Starting this initiative of the B4X consortium, here are my first understandings and proposals for this act:

1) All the code that we have contributed to this forum is governed with the open source adaptations by the EU in the proposal for this regulation. That is because we have supplied the code and we have made it freely available or donationware (the total amount of earnings is less than the amount spent to create it/maintain it). Some creators of wrappers of course of already made libaries have to perform a reverse engineering in the initial libraries (if they are compiled) that were wrapped and have to check them thorougly themselves (and include in the zip files the version checked). This is in favour of b4xlibs which I suppose we have to use from now on.

2) The three open source products out of the 4 of the B4X universe are not governed (according to my understanding) by the open source adaptations by the EU in the proposal for this act, because their code is partly available to the public. We have to help @Erel face this so that leads me to number 3 and the following proposals.

3) Each software according to the proposed regulation has to have a bill of materials. That is a tree of what it is made of which has to be available to the end user. I suppose in order to help Erel adapt to this, and since he cannot be sure (until the suppliers of the materials have adapted to this regulation) about the materials used in the B4X IDEs we have to help him lift this weight. I propose to shift the B4X universe to the B4X universe. According to my understanding all the IDEs use a library that exposes an object that @Erel uses as the programming window as well as a treeview and a gridview available in .NET and I cannot be completely sure about the search. I believe most of the previous components are already available in the B4J IDE and I also believe that we can develop an open source library similar to the coding window based in something like the HTML Editor View since all it uses is a { contenteditable="true" } directive in the code of the HTML. With the help of some css+javascript and something like that I believe we can make it all together shifting the creation of the B4X IDEs to the B4X universe (and especially B4J) and that is recursive to the next versions of the IDEs. This way @Erel will gain full control over the IDEs and we will help him to help us. Also a plus is that B4X will be coss-platform if we do this.

4) @Erel you already have available an e-mail address for contact on this site and maybe you can use the options available by the EU in the proposed regulation in order to create also a mail address for contact (in order not to expose your real address because of the situation in Israel). You can do this by making available a P.O.Box. or by setting a trusted attorney that will handle all the written communications as a median with you.

5) As far as it has to do with the security updates for software created by the 2 IDEs (B4i & B4A) the stores handle this automatically. For software created by the B4R IDE (obviously for MCUs that are connected to the internet) we have to create auto updating functions like OTA Update (we have to see how to do this over https because it is not done this way now). For B4J all we have to do is to create a single program that will only be the updater which will initially download the full software (as it is created as a standalone package) and place it in the XUI.DefaultFolder and run it from there when it is first installed and then from the second time and on it will check if there are new updates and delete the present folder of the "installed" software, download the update and unzip it "installing it" there (XUI.DefaultFolder). It is obvious that the data of the application have to be stored in a seperate folder. or the XUI.DefaultFolder and the software has to be "installed" in a sub-folder of this folder.

6) For the B4R IDE there has to be a fix for the https access to on-line APIs which with every new calling of the API limits by something the available memory. I do not know why this is done but until now I had ended up using only http access which mitigates this but is considered obviously unsafe.

7) The 3 out of 4 IDEs (in the hosted builder case) or the 4 out of 4 IDEs (in the local builder case) provide local access to the transmission of data (nothing to mitigate so for them and then again maybe not). For the B4i IDE that transmits to the hosted builder the project maybe an ecryption must be used in the communication but I do not know if it is a must do.

8) Most of the other requirement are almost straight forward but I have some questions about what all of you think about this and that leads me to the next part of this post.

QUESTIONS:

1) The regulation mentions that "Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks". Although this sounds almost totally comprehensible I cannot be sure if something more is meant in this sentence like advanced obfuscation. What do you all think?

2) The regulation mentions that "Products with digital elements shall be delivered without any known exploitable vulnerabilities". Does this mean that for 24/7 we have to contact or have/apply to our projects white hat hacker knowledge?

3) The regulation mentions that "...protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions". How do we do this? I mean if our software is publicly available and a malitious user can see our code+keys for encryption/decryption if no advanced obfuscation is used?

4) The regulation mentions that "...apply effective and regular tests and reviews of the security of the product with digital elements". Does this mean "run, my feet, run, in order not for my b*tt to shit on you..." in the sector of cyber security, 24/7, which leads us to question number 2? A proposal for both of these questions, is to create the B4X consortium that we will all pay monthly some money in order to hire some known cyber security company to do this work for all of us and notify us in every case + advise us on what to do...

5) The regulation mentions that "...protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms". Again! How this is done if a malitious user can see our code and get the the keys of encryption/decryption if no advanced obfuscation is used? This also leads to the proposal of question number 4. It is obvious to my eyes that in the case of just stored data the password of the user can be used to encrypt the data and with every change of password decrypt - re-encrypt it. For transmited though? What do we do? We have to know the decryption password in server side. I know, someone could say keep a copy of the user's password on-line, and I would ask if this is safe enough which in my eyes it is not.


Any more suggestions/questions by anyone?
 
Last edited:

EnriqueGonzalez

Expert
Licensed User
Longtime User
my 2 cents:
think it's time to form a consortium to face it and lift the weights in the side of @Erel because if he will face everything by himself
lol no, that guy works 25 hours a day and pretty sure he has lawyers. Also he doesn't even live on EU.

The three open source products out of the 4 of the B4X universe are not governed (according to my understanding) by the open source adaptations by the EU in the proposal for this act, because their code is partly available to the public.
All the libraries used are fully open source and fully available: https://github.com/AnywhereSoftware

propose to shift the B4X universe to the B4X universe
i guess you meant to have all in one IDE. well lol, that's definitely not needed. The IDES are not open source.

"Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks"
i mean, that's the description of anything AnywhereSoftware does.

...protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions
you can certificate your code.

A proposal for both of these questions, is to create the B4X consortium that we will all pay monthly some money in order to hire some known cyber security company to do this work for all of us and notify us in every case + advise us on what to do...
no... why even do that? worst case scenario is to simple again pay to AS and they take care of that.

I understand your corcern, but i believe in AS way more.
 

hatzisn

Expert
Licensed User
Longtime User
my 2 cents:

lol no, that guy works 25 hours a day and pretty sure he has lawyers. Also he doesn't even live on EU.


All the libraries used are fully open source and fully available: https://github.com/AnywhereSoftware


i guess you meant to have all in one IDE. well lol, that's definitely not needed. The IDES are not open source.


i mean, that's the description of anything AnywhereSoftware does.


you can certificate your code.


no... why even do that? worst case scenario is to simple again pay to AS and they take care of that.

I understand your corcern, but i believe in AS way more.

Please Enrique, don't get the way I am writting this message wrong because now that I have finished it and re-read it, I kind of get this feeling from what I wrote and this is deffinetely not my intension. I am totally concerned by this EU regulation. Well, here goes nothing... Continue reading.



It does not matter where you live. Cyber Resillience Act is valid for you even if you live in Middle Earth of the Lord Of the Rings if you provide goods with Digital Elements to EU clients.

For the open source argument, a software is not only composed by libraries. You are right, the libraries are open source but the software that "uses" them (in quotation marks) is not. The quotation marks are valid because they are used in the output of the IDEs and I am not completely sure if this counts. But you mention it also yourself that the IDEs are not open source but they are donationware. The fact that no code is provided excludes them from open source clause of the proposed regulation.

So my concern because they are not open source to be excluded from this regulation is their bill of materials. That could pose danger to the IDEs and we could end up at some point without the easiness and RAD of the B4X universe. That is why I think that it is a relation of take and give. Giving full power over the IDEs bill of materials (BOM) to @Erel is also in our benefit.

That is why I proposed that we can create a view based on a webview with HTML and in the body tag include a contenteditable="true". This + some css+some javascript and we have a ready made code editor that @Erel can use to shift the creation of IDEs from DotNet to B4J (and I mean for less work four different IDEs). I already have made some initial experiments and I will post the results tomorrow as it progresses.

For the description of anything Anywhere Software does I am conerned about our products created with the IDEs. According to the proposal you will have to mitigate every volnurable point before you release your app to the public and create a documented description of everything in every version. Totally shit-heads from a programmer's point of view these guys in the EU cyber security office but angels from a user's point of view.

For the certification part even if I do this, I am not only concerned that a malitious user would change my code but that he will see or acquire through debug the encryption/decryption password and then the situation totally goes to hell. How do you mitigate this except with an advanced obfuscation app that can cooperate with the output of the IDEs. I already tried some app of this kind last summer for a B4J app and the result was not a success.

I do not know if putting the checking of cyber security in @Erel's back or in some of his colleagues if he gets some, even by paying for this is a good choice. This is because, I myself only, have 10 and more applications in google play and the active users of the forum are really much. Do you think this is viable since the regulation requires regular checks of cyber security of all apps and known volnurabilities as well as the ones born everyday. What concerns me even more is the fact that there might be fines if you fail to fullfill all the obligations of the regulation and I do not have the knowledge to mitigate completely cyber security. It does not matter if you get hit but it matters if you fail to fulfill the obligations in accordance with the regulations to mitigate this immediately (and the doesn't matter part is valid only if you fulfilled the pre-release terms of the regulation). Cyber security companies cost and the only way to be exluded from the regulation is to make your digital creation completely open-source (that is kiss bye bye in app purchases). We are all small developers that earn occasionally some money (more or less) from in app purchases and the only way to face the EU beast is to unite.

I suppose @Erel is looking the terms of the regulation or postponed it due to the almost 40 months period of adaption. I really would like though your opinion @Erel about the regulation and my proposals.
 
Last edited:

hatzisn

Expert
Licensed User
Longtime User
For transmited though? What do we do? We have to know the decryption password in server side. I know, someone could say keep a copy of the user's password on-line, and I would ask if this is safe enough which in my eyes it is not.

How could I be so blind when I wrote this? Ghosts in the machine. Hash is the answer. You trasmit encrypted data with a known key even to the hacker/cracker if he manages to see/debug your code encoding the user's username+password (or + old password if you change it) which are not known to the malitious user and also the data encrypted with this user password with in a JSON let's say. In server part calculate the hash of the username-password (or old password if you are changing it) and if the hash agrees with the saved one use the password to decrypt the encrypted with this password data. This implies that the user must enter their password on each access and there is a chance of data loss if password is lost since it is not kept as a text. Also a hashed next server communication key can be created each time and send this key (string) encrypted in the encrypted data in order for the server to use this to send data back encrypted.
 
Last edited:

hatzisn

Expert
Licensed User
Longtime User
I forgot yesterday to post the results. Here are the initial results of the WEB-CODE-EDITOR.
 

Attachments

  • editor.zip
    601 bytes · Views: 87

Daestrum

Expert
Licensed User
Longtime User
Surely if you make an online code editor, you have even more precautions to take than using the current IDE's which is minimally connected (tells you if a new version is available for the IDE and/or libraries).
 

hatzisn

Expert
Licensed User
Longtime User
Surely if you make an online code editor, you have even more precautions to take than using the current IDE's which is minimally connected (tells you if a new version is available for the IDE and/or libraries).

You are correct and at the same time not correct. Definitely a lot of things are needed to add (this is just an initial approach) but the code editor is just a WPF .NET view (if I remember correctly). The IDE writes the connectivity of bridge and new versions in a status bar. If you can call B4J subs from Javascript inside the WebView (which is done in B4A) then you are set to go.
 

hatzisn

Expert
Licensed User
Longtime User
You are correct and at the same time not correct. Definitely a lot of things are needed to add (this is just an initial approach) but the code editor is just a WPF .NET view (if I remember correctly). The IDE writes the connectivity of bridge and new versions in a status bar. If you can call B4J subs from Javascript inside the WebView (which is done in B4A) then you are set to go.

Regarding my web code editor above, another thing that just crossed my mind is exactly what @Daestrum says. Transfering B4X (in general) functionality in a B4J web app giving the programmer the choice to program from wherever he is (installing to phone or pc by having a small B4J program that runs as is, in a USB folder - no need to install - it could be done through AsyncStreams and MQTT). That would be a huge upgrade for the B4X universe and of course it could be done payable as an extra service. The programmer could save his/her code in Dropbox or Google Drive or just download/upload it in a zip file (and it is also economically feasible - searching for VPS a contabo lowest price VPS costs around 6 EUR - VAT not included per month. Five or six of them would cover the needs of everyone since compiling is not such a resource taking long procedure. It could be done in a docker image for easy installation in new servers). Also by making the installing software crossplatform you could even develop in B4A/B4i while taking mass transportation means from your phone or Android tablet immediately with a service (but then again maybe not due to the new Android's limitations) or through save/open through iPad/iPhone if you are installing to the same device. If you are installing in a different device then it is completely straight forward (a second option for installing in B4A would be that you will have to make your tablet wifi spot).

In fact there is no need to develop the code editor. There is already:
 
Last edited:
Top