2527 posts • joined 9 Mar 2007
Well the point about that new OS is that the code has been proven not to suffer from certain kinds of bugs. Since such a proof is very hard to do, they only did it with very little code, hence a microkernel. It is then hoped that a "secure" microkernel will be able to secure the rest of the system... which is not necessarily true.
However it is a big step towards security.
Well it should be obvious
AV companies started their products in the 1990s, back when nobody was good at programming, at least not the people who programmed for Windows.
Then they keep putting layer on layer of complexity. First they only scanned files, then they scanned archives. They continue to mess around with more and more complex programs. If a team implementing a compression algorithm cannot get it right, why should a team also responsible for lots of other things, get a whole bunch of compression algorithms right.
Among security people, AV is seen as snake-oil. It cannot work in principle therefore they won't work on such projects.
Lastly to answer the question why browsers are harder to exploit and AV software: Browsers have been mostly open source for more than a decade now. Browsers are actively researched and exploited by a large variety of people. Compare that to AV software nobody who knows about security cares about.
Re: Steam Punk Cool
Actually ATMs were among the first things standing around in public that had access to data networks. At least some of them were connected to ISDN lines where they would use x.25 over the signaling channel to verify their transactions.
It's old, and it's obviously rather easy if you can modify your ATM.
This series of pictures shows chess being played on an older OS/2 based machine:
Essentially the bank left a console window open.
From my experience working at a German "tech" company...
... this shouldn't be to difficult. Just get rid of all your MBAs and bad engineers and the remaining few will be able to work much more efficient. At least that's what you'd do to a German company to become competitive.
Well the idea is that you use FEC spread across packets so you don't have to re-transmit a lost packet. So you spread the Information of 3 packets into 4 and can live with one in 4 being lost.
Lost packets can happen even with strong FEC with wireless connections.
Well under some circumstances
Yes on high latency connections this could bring a considerably improvement. However it would require a new protocol, kinda an TCPwR (Transmission Control Protocol with Redundancy).
There are 2 Problems with this:
1. It won't go through unmodified NAT.
2. It can be hard to implement.
The first problem is particularly bad with "carrier grade NAT" you commonly have on high latency mobile connections, or mid latency consumer connections.
The second one is evident if you look at real life implementations of TCP/IP stacks. There will are ones, particularly in embedded systems still having severe problems. For example the Nucleus one just tends to drop connections without telling the application about it. Adding more complexity will cause lots of problems.
Maybe one sensible way of doing it would be to extend TCP in some way so connections could easily fall back.
I wonder how such a tool looks like...
...particularly considering that for many years the only way built-in way of reading the system logs was through a non-resizable window.
Re: What would be cool
Well I kinda have the same problem. In fact with the new satellite I'm even exactly in a null, so there is no hope of reception. I get by with a video disk service which gets me DRM-free files delivered via FTP.
Anyhow of course German TV averages about "Five".
What would be cool
Is that they would just close down Sky Deutschland and replace it with Sky UK. Considering how bad Sky Deutschland is in everything except sports (which I don't really care for), that would be a real improvement.
We should outlaw DRM
If there wasn't any DRM, services like Netflix would easily cache via a transparent cache and we wouldn't have that problem.
Other than that it seriously makes me wonder how bad the infrastructure in the US must be that ISPs actually cannot get proper affordable upstream bandwidth.
The questions are...
...is it an open standard, free of patents?
...is it easy to implement on your own without weird libraries?
Only you can answer those 2 questions with yes, it's worth investing into it.
Happens regularly in industry
However in industry nobody outside notices, except when the company goes bust because of it.
It's just customers money anyhow, so why should they care?
Actually light doesn't "bounce off" the edges of a fibre optic cable....
...at least not in anything "communications grade". Of course it will for cheap SPDIF-like systems, but if you want to reach high speeds you encounter a rather simple problem: The parts that bounce around will take considerably longer to arrive than the parts which go through straight through the middle. This may not sound like a lot, but it adds up. If you have a 100km cable a percent longer or shorter ways can really spoil your bandwidth.
Instead fibre optic cables actually work more like microwave waveguides by providing an environment where, ideally, only the wave you are interested in can exist. This involves lots of math.
What did you expect?
Apple is one of the few companies that doesn't give out their source code. What other reason, except for betraying the user can there be for this?
I think we should ban binary only software. It's not just to much of a security risk, it's also a question of consumer rights. If I buy a car or a vacuum cleaner I have every right to modify it in any way I want. Why don't I have that right with software? Why can't I just patch out features I don't like or patch in features I'd like to have?
Yes, it's all in the LTE advanced roadmap
So they are, in a nutshell, implementing what is planned to be implemented for years.
Surely it's nifty technology, but it's barely news.
Actually... I'm kinda doing that
I don't trust the router of my ISP and my ISP, so what I have is a tunnel to a rented server in a data centre. The NAT happens there an I connect to it via an OpenVPN tunnel. Of course DHCP and similar services still run locally.
However trusting your ISP in doing that is just foolish. ISPs have shown over and over again that they are not trust worthy. Just think of the BT incident where they replaced advertisements and tracked you. I think it was called Phorm.
Re: You jest!
Seriously the BBC is great when compared to the rest of Europe. Even ITV is.
For example the BBC dares to bring shows like "Stargazing Live" at prime time. A show which is not aimed at the lowest common denominator. The BBC even experiments with things like "Hairdresser of the Year".
And ITV even has people with character, just think of Harry Hill. You may not like him, but at least he's not bland down like German show hosts are today.
Re: What century are these guys in?
I think most Linux Distributions had autoupdate long before Microsoft even started that near pointless scrap of update mechanism they have now.
Ahh, so it's PHP malware
This has very little to do with Linux and FreeBSD, but with PHP which makes it _really_ hard to write secure code. (at least a lot harder than writing insecure code)
I don't even know if that makes sense
I mean sure, "smart"-watches had and will have displays, and in the future devices sold as "smart"-watches will have pixel based displays. However they are rather small, so it's hard to display any significant amount of information. What's even worse is that touch interfaces make it really hard to interact with them in any meaning full way. So I'm not sure how important this will be.
What might be more important would be voice recognition. Currently it's the only way to give semi-complex commands to a mobile phone. Maybe we will one day whisper to our watches - Michael Knight style. :)
We should fix the underlying problem
Browsers are just so complex, they have such huge code bases nobody can properly understand them any more. Maybe we should go on, and split up a successor to HTML into 2 separate standards. One for "documents" and the other one for applications. Both would need to have to be as simple as possible to get rid of legacy bad design decisions like being able to execute code from other webservers than the one you load your HTML from.
Maybe we could then write a client for that new protocol in a browser, so there would be a trivial way to transition over to it.
It's similar with Deutsche Telekom here
They don't do peering, so if you want to connect to them, they'll charge you as if you were their only upstream ISP, and they charge about double of what the competition does. Therefore, as far as I know, they aren't connected to Google or any of the large Internet exchanges.
However local hosting providers typically are connected to them as well as to the nearest Internet Exchange. So routing through your server at such a hosting company can make your Youtube work considerably better.
Finally proper IPv6 support. Finally you can use this in "productive" home environments where you don't have a whole IPv4 subnet to distribute.
There are multiple plausible ways to do this
And since ElReg doen't go into the details, I think it's fair to give an overview.
The traditional way is to have a second, but considerably stronger uplink. You'd need to be at least about 10 times stronger, which is hard to do. In the olden days of analogue feeds to the uplink, you could even do this to the feed, which is much easier.
Then today many uplinks are fed via the Internet. RTMP can probably be spoofed with some effort.
The most plausible way might be an attack against the Playout Centre. TV-stations today, particularly small satellite ones, don't have people starting tape cassettes or reading continuity announcements any more. Instead it's all just files on disks which are automatically played and put on the air. There are commercial Playout Centres for doing this. Much content will still be shipped to it on tape, but commercials and similar fast changing material is simply uploaded via FTP. Now if you get access to that FTP server, it's trivial to swap out files. If you get the correct length, it'll play seamlessly just as if it was intended that way. If you don't, you might get some hickups.
Getting the FTP password might be done via malware or via an intern at the station.
The spy is inside the device
It runs probably closed source code from a company known to store and process every bit of information they get. Even if said company is not evil, they are under US, and possibly even UK legislation forcing to hand over every bit of information they have.
Re: @Anonymous Coward
Actually most German online electronics stores have Raspberry Pies. Pollin is mostly known for surplus and used stuff.
Well, there are patent lawyers. And they just continue to nag the patent clerks until the patent goes through and the lawyer goes away.
For a patent conforming to your rules, you don't actually need a lawyer, it just goes through after the patent clerk kindly pointed out the errors you have been making.
Re: Corporations (like Google) need to step up.
"Downvotes? What terrorist dislikes the "Art of UNIX Programming"?"
In my experience there is a violent branch of the C++/Java/C# fans that completely hates that book. Unfortunately some of them are now found in what is called the "Freedesktop" movement.
Re: Corporations (like Google) need to step up.
BTW if you are interested in software design in C, read "The Art of UNIX Programming". It's a completely different mindset to the C++ one.
Browsers cannot be secure...
...since there the encrypted channel is based on public certificates. Though you can get something similar to certificate pinning with self-signed certificates, this can easily be subverted by using normal certificates.
What we finally need to do is to get GPG to be more usable and shipped by default with e-mail software.
What will you do in 10 years with it?
I mean your typical component stereo system is not only much cheaper (when you use used components like speakers), but is also rather future proof. Analogue audio is like the text files of electronics, it just works and every device can speak it. Even SPDIF is widely used and understood by many vendors. Contrast that to some wireless solutions which depend on complex, sometimes even proprietary, protocols.
So the way those wireless multi-room systems are built today they are just suitable to extract money from hipsters.
The most important thing when you get such a job
...is to stop yourself from increasing your cost of life. It should be clear to everybody that such a job is only possible in a tech bubble where everyone pretending to be able to code can get a high paying job.
It makes sense to use that bubble to collect money for your future education, but be aware that the bubble will collapse eventually. Nobody knows if it'll be in 10 weeks or 10 years, but it will collapse. If you are prepared, you can then start studying and you will emerge wiser and without debt.
Well the Japanese were good at doing so. I have a Japanese VCR from the mid 1970s which still works, except for one rubber part which needs to be replaced.
Re: Well browsers are not suitable for this
Yes, or a terminal. Why don't we have "GUI Terminals" to which I can send a simple form and they render it, have the user fill it out and return it. Kinda like HTML used to be before webdesigners took over.
Well browsers are not suitable for this
Even if there was no cross site scripting hole in there, you could still get a fake certificate and do man in the middle.
The whole browser thing may need to be replaced by something much more simpler and based on actual security.
Re: Users, Who'd have 'em.
Well... VBA scripts give at least a bit of use to office products as they allow at least a little bit of automation. Of course in an ideal world, people would just use flat text files and the unixoid tools available.
Maybe its to improve public transport infrastructure
I mean it's probably no problem at all to purchase 470 double-decker buses for a photo-op when it's about such a large ship. The cost of that is just negligible. While it's much harder to buy such buses normally.
So if you buy 470 double-decker buses out of the military PR budget, make that photograph, and then sell them to local communities for a symbolic price, you will have made a serious improvement to the public transport infrastructure.
Well the Stasi didn't have contractors. However people knew/suspected quite a bit. I mean back then it was all manual, so you could see the people following you around.
It's a tool in their belt
As someone who actually did record the phase of the grid for extended periods I can say that it's plausible for certain situations.
First of tall the averaged frequency of all points in the grid is the same, however there may be some minor phase shifts. Those are however probably completely useless for this.
The harmonics also are much less useful as they might seem since those depend on your very local conditions, particularly when talking about the sound aspect of it. The type of "Loudspeaker" would probably completely dominate this.
It is rather trivial to fake this anyhow. Just record the hum of a the place and time you want, and filter out the original hum, then paste in the fake one. Alternatively you can just use notch filters at 50, 100 and 150 Hz and fill up the space with narrow band noise.
So yes, if I was the NSA I would do it, particularly since it's cheap to do (our setup at work was essentially some cheap Foxconn PC and a tiny bit of homegrown hardware to connect the mains and the output of our clock to the soundcard) and it might be helpful in rare cases.
> I consider software anything that directly accesses the CPU and has instructions for that CPU. Note that a script or other interpreted code is useless without the interpreter, which falls under the purview of a program.
That's what Google tries to do with the Chromebook. It's no use since then you'll just use security bugs in the browser. It just keeps people from actually running local software outside of the browser.
> Operating systems shouldn't be able to run unsigned software - ever.
We already have signed malware. This will only prevent you from installing your own self-compiled software or software from a trustworthy source. Few trustworthy sources will pay the money for a signature.
> ... proper, trusted certificate chain - no self-signed rubbish
Do you know how much a proper certificate costs? Also today we know that at least one attacker can control the root, and we have seen several CAs being taken over by non governments, as well as customers of CAs being issued certificates far wider than what they should have gotten. The CA world is a terrible mess.
> Certificate revocation lists should be enforced as strictly as is practicable.
Even Google now knows that revocation lists are bogus and possibly even harmful:
> Sandboxing should be made to work properly, stricly enforced, ... as long as they've been given explicit permission by the end users
Look at the mobile world. People will enable _every_ permission they are presented with. As long as you cannot patch out the features in the source code.
It seems like you've never seen the discussions in the late 1990s where "Trusted Computing" came along which tried to do all of this.
The thing that actually did bring security since then was "Free and Open Source Software". FOSS scared Microsoft into (partially) cleaning up their mess they called Windows. Today when software crashes because of invalid input it's considered to be not just an unimportant bug, but a security problem which needs to be addressed immediately.
I don't quite see where the advantage of the double system would be. You need expensive machinery just to save you perhaps at most an hour. Plus you need to do audits. And you probably need to recount much of your votes anyhow since someone complains.
Re: No E-Voting cannot be democratic
Well the point is, with electron computers it's trivial to make very hard to detect widespread manipulation, while pen and paper voting is hard to manipulate and easy to detect manipulation.
BTW, counting pen and paper votes is also rather quick and can be done in a very few hours. Most elections in Germany, for example, are counted within a single hour.
No E-Voting cannot be democratic
And that has nothing to do with crypto.
The problems are much more basic. For example if you vote at home, someone can look over your shoulder so they will know what you voted for... effectively making it easy for them to buy your vote.
An even more substancial problem is trust and democratic verification. You can verify a pen and paper based system without any special knownledge. Everyone can understand it within a few minutes. So instead of having to have knowledge and capabilities in several fields (mathematics, electronics, programming, microelectronics) you can simply look at the process.
So this may have it's applications, e-voting certainly isn't one of those.
Hmm, they bought Nokia. It may be that Nokia has some valid patents on it.
"A currency that can be transferred untraceably"
That's completely wrong. Bitcoin is based on the idea that everybody can see all the transfers. So you can trace them all. In fact if you take part in Bitcoin you have all the transactions stored on your harddisk. What Bitcoin Miners do is to certify those transaction.
Bitcoin is in no way even hard to trace. The only thing is that bitcoin wallets don't have names directly pinned on them. By that standard you could also register a company and open a bank account for it.
Again, Bitcoin is not anonymous, it's pseudonymous at best.
Re: Bane of my life
I'm not sure about it. Yes it's used by many businesses, but the question is if it's used by important ones. I mean our civilization wouldn't suffer much if certain companies would cease to exist.
Your bakery or fish monger doesn't Spreadsheets to do their work.
Actually, it might be
If you've got some old 1980s software running on some sort of Unix of VMS or something, it's trivial to get it "into the cloud". You simply put an SSH-terminalserver in front of it and people will be able to use it even over very slow connections... and on just about any device you can get an SSH-client for, which includes all real smartphones.
Also if your software survived from the 1980s till today, chances are it's fairly well designed.
Might make sense for a desktop screen
Since you are closer to the screen there, a curved screen makes a lot more sense there.