* Posts by Christian Berger

3021 posts • joined 9 Mar 2007

Windows 10 Device Guard: Microsoft's effort to keep malware off PCs

Christian Berger
Silver badge

Well it's "Trusted Computing" all over again

This is just one part of a larger concept.

1. It will bring _no_ benefit to security, as it'll be working in the wrong places. For example you will still be able to exploit a browser to steal cookies and such or install any form of spyware/adware. In fact certain players in the field will probably even get their malware propperly signed. No malware today actually accesses the hardware since that would be rather stupid. If you are already "System" on that system, you have already won. Since nobody re-installs Windows regularly, you are even persistent on that machine.

2. As a side effect it'll limit the software you can run on those machines. For example FOSS will probably not run on such a machine as it will eventually not run any unsigned code. There may be a temporary figleaf solution where Microsoft signs a generic bootloader, but since that completely breaks the chain of trust, it'll likely be advertised as a huge security problem and removed.

3. The area it will make sense is DRM. If Microsoft can limit the access to your hardware, they can potentially keep you from grabbing DRMed streams.

There should be laws against this sort of thing, and actually in Germany that would clash with your basic right of "Integrity and Confidality of Information Processing Equipment" as derived by the constitutional court some years ago.

1
1

Dumb terminals

Christian Berger
Silver badge

Re: Dumb terminals

Well browsers are to complex to be considered "dumb terminals". After all there are _lots_ of bugs in both the implementation and concept of browsers that open them to security problems.

A sensible solution would be something like VNC, a simple protocol for "web applications" which can be implemented with a minimum of complexity.

And of course the server doesn't have to be at some big company, it could just as well be in your basement or even in a spot in a data centre you rent.

0
0

Singapore's PM personally programmed C++ Suduko-solver

Christian Berger
Silver badge

The language is kinda unimportant there

Nobody expects that PM to do feats in software design, though a talent writing elegant computer code might translate into a talent writing elegant legal code.

What's good about this is that he obviously understands at least some basic ideas about computers. He would be someone who you can tell why election computers are a horrible idea. He would understand why DRM cannot do the things it claims to do. He would perhaps even understand why the computer might bring a new era of efficiency which will mean that there's a lot less work to be done.

A PM has to have the big picture and for that he has to have some broad experience. Having used a computer, and even if this was just by writing some C++ program, gives him part of this experience.

0
0

Hi, Fi: Google JOWL-SLAPS mobile bigguns with $20/mo wireless service

Christian Berger
Silver badge

Germany has a 3.99 Euro/month plan

But they will shape your line down to 56k after the first 500 Megabytes or so. However since coverage is spotty in Germany anyhow, it doesn't make much difference whether you could theoretically transmit 56k or 10M.

0
0

What's broken in this week's Windows 10 build? Try the Start Menu, for one

Christian Berger
Silver badge

letters appear twice WTF?!

Seriously, one of the big advantages of Windows is that it provides a toolkit for things like input boxes. That way you don't have to write your own input boxes, particularly not for simple things like calender GUIs.

So what were those people doing? Is there now a new "input dialog component" with that bug that just happened to be used only there? If yes, why?

1
1

Ubuntu 15.04 to bring 'Vivid' updates for cloud, devices this week

Christian Berger
Silver badge

Ubuntu Phone

I recently got one of those Ubuntu Phones and I have to say it's completely different from what you expect. You need to register with Ubuntu just to get a shell, the default screen tells you about the weather somewhere in the world and shows you news stories in Spanish (WTF!?).

Doing an apt-get is not supported and doesn't work by default. You need to first set your device into a read-write mode which needs special equipment.

So essentially Ubuntu Phone takes out all the good parts of Ubuntu (i.e. the Debian parts) and replaces them with crap.

4
0

Infosec bod's brag: Text editor pops Avaya phones FOREVER

Christian Berger
Silver badge

BTW has someone looked at how he proposes to fix this?

He's attempting to bring out some sort of magical symbiont software which runs in parallel with the firmware and somehow magically protects it from harm. Kinda like a Skynet.

It seems extremely unlikely that such a system would work outside the realm of science fiction. Combined with that conference apparently being a sales conference where only marketing people go, we may have a sort of con going on. We'll know more when his thesis is published.

0
0
Christian Berger
Silver badge

Yeah you kinda expect that

That very company also had a bug in their call centre management software. To quote from their note "Therefore, if there are no files under /tmp at the exact moment when the /etc cleanup script is run on Linux the script may start to delete all files under /."

http://downloads.avaya.com/css/P8/documents/100177034

AVAYA is one of the companies I'd put in the "avoid at all cost" category. Luckily there are lots of alternatives.

2
0

'Leaked' EU digi wish list: Junkets for Eurocrats, sops to copyright and telcos

Christian Berger
Silver badge

We'd first need to abolish DRM

I mean DRM obviously is one of the big problems in the whole area here.

DRM means that in order to use the material you need to break the DRM. Even playing DRM "protected" files means you need to install software working against your interrests, which is fundamentaly incompatible with your right of "integrity and confidentiality of information processing equipment" as declared by the constitutional court in Germany.

5
0

D-Link: sorry we're SOHOpeless

Christian Berger
Silver badge

Re: The sad thing is...

Yes, but why not just pass a law that would outlaw hardware without well documented interfaces?

I mean seriously this could be dressed up as a mayor security issue.

Imagine Broadcom puts some spyware into their blobs, they could take over very substancial amount of devices. They could potentially even take over laptops with governmental secrets on them.

It would be hard to find out as you can easily hide code in a binary blob compiled for an obscure processor architecture. After all the processors in the wireless chip probably aren't plain vanilla ARM.

0
0
Christian Berger
Silver badge

The sad thing is...

... it's most of the vendors and most of their products. The problem exists in everything from $20 routers to $200 routers. In fact the ultra cheap routers might even run OpenWRT which probably has _much_ less problems security wise than the software running on more expensive boxes.

Maybe we need laws allowing everyone to freely replace the software they run on their devices. Then the store where I buy my router can just flash OpenWRT onto it and therefore actually do something that justifies their markup.

5
0

Lawyer: Cops dropped robbery case rather than detail FBI's StingRay phone snoop gizmo

Christian Berger
Silver badge

I wonder what's in the NDA

I mean seriously IMSI catchers aren't high tech any more. You can use OpenBTS for that. And faking another network essentially means setting your network identifier to the one of that network. Actually as far as I know, when you get an experimental GSM licence (yes you can get that, costs around 200 Euros for the first year, and 20 Euros for every following year) it is not specified what network identifier you have to use.

0
0

So why exactly does almost ALL tech live in Silicon Valley?

Christian Berger
Silver badge

"Truly testing an economic theory or model would be very expensive and time consuming."

Actually no, even though doing an experiment is hard, you can test models simply by observation. It's how astronomy or meteorology works.... and the testable statements those fields make typically have a very decent correlation to the true world. The weather report has a decent chance of predicting the weather for the next week.

1
1
Christian Berger
Silver badge

Well economics also has, so far, been known for ignoring facts in favor of dogma. And in the few cases it does make testable predictions, for example when it comes to predicting the growth of a region, those predictions usually are badly correlated to the actual data.

5
1
Christian Berger
Silver badge

I'm sorry, but some assumptions are wrong

First of all Silicon Valley isn't about technology of knowledge. Silicon Valley today is mostly about business trying to sell advertisements If any company has a small development branch, it's just there to help sell those. That's why there is next to no innovation in our world today. That's why Ubuntu Phone is near indistinguishable from Android or iOS.

Then second, the amount of money you get doesn't depend on how much you know, it depends on where you work. And well paying jobs in engineering are usually not the better ones. And even the highest paying jobs in engineering don't even pay a fraction of what even proven to be incompetent upper management people get.

Without really good education there is simply no market for technology. Why should someone buy the device that's better engineered when they don't understand what's better about it?

10
3

Go for a spin on Record Store Day: Lifting the lid on vinyl, CD and tape

Christian Berger
Silver badge

You know back in the olden days...

... even very non technical people didn't have to be explained how you would copy a record to some other format like tape. People just did it.

7
0

Mega fatcat Kim Dotcom in deportation drama over SPEEDING ticket

Christian Berger
Silver badge

Re: What are the odds

"Julian will be getting a new bunkmate?"

Even after all I've heard about the US, I don't think they get down to _that_ amount of torture.

2
1

D-Link router patch creates NEW SOHOpeless vuln

Christian Berger
Silver badge

It's actually not just SOHO routers

At work I've been dealing with "business IAD" which are supposed to convert SIP into ISDN. I have to tell you that market is full of companies who have no idea of what they are doing. Our current strategy is to just install ACLs to make them not talk to the rest of the Internet. At least one IAD we've tried actually tends to crash when you leave it to the open Internet. The other one is managed via a proprietary software... which is probably open to replay attacks. I've compared the TCP-dumps of 2 authentication sequences... and they were identical.

3
0

Default admin password, weak Wi-Fi, open USB ports ... no wonder these electronic voting boxes are now BANNED

Christian Berger
Silver badge

Re: The position of the constitutional court of Germany is worthy of note

"The problem is, with millions or tens of millions of people voting, hand jobs are just not practical."

Uhm.... Germany has roughly as many voters as the US. I never had to wait for more than 10 minutes to vote, the voting booth close at 18:00, and the official results are announced before 20:00. Typically enough polling places have been counted by 18:30 to give a really good prediction.

Financial institutions represent a completely different problem than voting. With voting you need privacy particularly against the people running the election. With financial institutions you don't have that. Within the organisation there are lots of audit logs. Therefore you cannot move money from one account to another one without there being a "paper" trail. That wouldn't be acceptable with voting. If you don't understand why, look at how elections in the GDR worked.

11
1
Christian Berger
Silver badge

The position of the constitutional court of Germany is worthy of note

Essentially they say that even _if_ those machines would be "secure", they still couldn't be used as it's not about them being secure, but about the layperson being able to check for election fraud by themselves.

A simple pen an paper system may be easy to compromise, however it's trivial to check. You look into the ballot box before they seal it, it needs to be empty. You count how many people came to vote and how many ballots are in the box when they open it again. Then you make sure those ballots are properly counted and nobody adds or removes any ballots. Since the ballots will be stored in a sealed box afterwards, you can always recount them.

Any sort of system that involves mechanics, electronics or mathematics is much harder to understand. A voting system has to even work in the "paranoid" situation where everybody is against you. You cannot ask a mathematician to proof it's correctness to you, you cannot ask a team of forensic engineers to disassemble and check your voting computer.

18
1

Segway bought by former patent spat adversary Ninebot

Christian Berger
Silver badge

Wouldn't it be easier to just convert matter into energy

and then convert that back to matter?

Here's a film of that being done in Turkey in the early 1980s.

https://youtu.be/_dBN5tCqWU0?t=339

0
0

Microsoft points at Skype, Lync: You two, in my office – right now

Christian Berger
Silver badge

Re: Yeah, it's great but...

"The thing is, you can host Lync servers yourself and keep control of all your data within your company intranet."

Actually you cannot, Lync is closed source so you can never say if it isn't sending out encrypted copies of the messages for selected few people. If you want to have IM there's _plenty_ of open solutions like XMPP.

12
22

Strange radio telescope signals came from microwave ovens

Christian Berger
Silver badge

Uhm, first of all 0.7 Watts would kill every wireless LAN in the building, and that's the concern, not some weird concern about radiation.

"2000 watts of energy" I'm sorry, but that phrase kinda disqualifies you. Plus you're not likely to see a lot on your spectrum analyzer as the frequency is rather low. You don't actually get a wave with a coil fed with 20-50 kHz. Without a secondary winding (i.e. a pot) the energy will just oscillate between the inductivity and the capacity.

0
0
Christian Berger
Silver badge

Well "sealed" does not necessarily mean "perfectly sealed". Essentially something like 99.99% of the radiation stays in and heats your food. The rest is irrelevant. If it was only keeping 90% in, you'd not only waste energy, but the radiation levels outside your 700 Watt microwave oven would start to become unpleasant.

The remaining radiation certainly shouldn't be large enough to cause an "all sky" event at a rather remote radio telescope, except of course for when you open it to soon.

1
1

Oh, hi there, SKYNET: US military wants self-enhancing software that will outlive its creators

Christian Berger
Silver badge

Re: Plenty of old code out there

Actually if you look at systems like Maxima which is based on a 1982 version of Macsyma which is from 1968, we are getting close to 50 year old code still being in widespread active use.

0
0
Christian Berger
Silver badge

Re: So: Java (shudder)

No Oracle has made that clear by saying that Java will not be the "new COBOL", which means that Java will not stabilize and will always remain an ever changing language with more and more features bolted on.

0
0
Christian Berger
Silver badge

This could either become a disaster...

...by building frameworks that try to abstract the program logic away from its implementation (or such nonsense)...

...or they end up just recreating UNIX which uses a few simple principles to make sure your software will play nice with just about anything from COBOL to J2k. In fact you can even re-implement parts of your software easily without breaking the rest.

1
0

What a time to be alive ... hard and floppy disk drives play Nirvana's Smells Like Teen Spirit

Christian Berger
Silver badge

Of course the real deal is when you can get an unmodified matrix printer to sing for you :) It's doable to some extend. Probably the easiest way is to use custom fonts.

0
0

Microsoft uses Windows Update to force Windows 10 ads onto older PCs

Christian Berger
Silver badge

Re: The only 'advertising' I see ...

"O don't get me started on WGA. I'm on my FOURTH (count em) Win7 right now, all because Microsoft seem to have an understanding gap in the way desktop PCs work."

That's why you typically install Windows in a virtual machine on top of some normal operating system. That's _much_ less hassle.

0
0
Christian Berger
Silver badge

Re: Monty Python?

"Then they start squabbling about which distribution is best."

Yes, the German phrase is "Jammern auf einem hohen Niveau", "moaning at a high level". Essentially since your typical Linux distribution solves most of the problems a typical Windows user has (i.e. getting software without malware, getting updates, etc) there are few things your typical Linux/BSD user has to complain about.

There's also another side to it. Since the Unix "philosophy" allows you to do a lot with very little code, and open source projects is now something quite a lot of developers want to do, there is a certain over supply of developer resources. The result of this are over complex projects like Systemd, Pulseaudio or Network Manager. Or on a grander scale, web standards becoming more and more complex, because it now seems as if we could afford it.

2
0

Hackers now popping Cisco VPN portals

Christian Berger
Silver badge

Re: The Cisco Security story goes from strength-to-strength

It always has been. Just look here:

http://media.ccc.de/search/?q=cisco

0
0

This will crack you up: US drug squad's phone call megaslurp dates back to 1990s

Christian Berger
Silver badge

Just abolish the secret services...

...then if there still is a need for some aspects of those, re-create those parts of them and staff them with completely new people.

Just think of it. If you would spend all the money poured into secret services on education and social services, the US could become a major country again.

1
0

Most top corporates still Heartbleeding over the internet

Christian Berger
Silver badge

My favourite is Teles AG in Germany

Their "support forum" they use to publish firmware images also runs on a Windows machine with an affected version of OpenSSL, it even says so right in the directory listings. So if you would execute the attack on this, you'd probably get the password to put new firmware images on there.

0
0

HP Stream x360: Flippable and stylish Chromebook killer

Christian Berger
Silver badge

Multiple "no go" points

1. Shiny display (why just why? In Germany you can actually sue your employer for giving you a shiny display)

2. Hard to replace battery

3. No mouse buttons

Appart from that there are certain "soft" criteria. For example it looks like a children's toy.

4
0

Google takes ARC Welder to Android, grafts on Windows, OS X

Christian Berger
Silver badge

Re: Ewwwwww

Well first of all distributions have a certain degree of quality control. It may not be perfect, but it certainly is better than the non existant quality checking in App-Stores.

The App market currently is one of those "idiots markets". It's like the "web applications (in PHP)" market or the "windows GUI application" market i nthe 1990s. People make their first attempts at programming on those platforms, and since all of our first attempts were utter crap, those markets are filled with that.

The great thing about the UNIX philosophy is, that it makes most of those apps completely irrelevant. There's no need for them, as the same can be done with a command line.

0
0

Tape thrives at the margin as shipped capacity breaks record

Christian Berger
Silver badge

Compression vs real life

Sure you can probably make the drive compress your database dumps 4 fold. However how often do you have the case that you need to store huge amounts of readily compressible files on a machine that does not have gzip installed?

So 1 cent per Gigabyte probably means more like 4 cents per Gigabyte, which is right in the ball park of cheap harddisks. You can turn off / spin down harddisks and you don't have the huge overhead of a tape changing robot and multiple drives (plus maintainance).

0
1

Tech leaders: Is your biggest threat North Korea or your own board?

Christian Berger
Silver badge

"At least with PCs you have a chance of identifying nasties with freely available software."

Well actually with PCs you can get much further ahead. You can harden your systems by throwing out features you don't need. If you have moderately smart people in your IT, you can control it to a very fine degree while still not limiting productivity in any noticable ways.

0
0

Notebooks drag PC sales out the toilet, fondleslabs still falling

Christian Berger
Silver badge

Re: tablet sales will continue to decrease because of their longer-than-expected lifecycle.

I wouldn't say that the lifecycles are longer with tablets than they are with Laptops. I mean I'm writing this on a 2010 ThinkPad and I can still run the latest and greatest software. With a 2010 tablet I'd be stuck with whatever firmware image the vendor provides, which, even with better vendors, is probably from a few years back.

In a way the mobile market is a lot like the home computer market in the 1980s. You see lots of vendors essentially producing the same product, but essentally incompatible with the others. Just like CP/M we now have Android to smooth out the worst compatibilities. However upgrading such a device to the current version of Android, or another system all to gether is near impossible. The process would involve recreating proprietary binary blobs and porting it to every single model individually.

0
0

Is this what Windows XP's death throes look like?

Christian Berger
Silver badge

Re: He who laughs last, laughs best.

Exactly, that's why I prefer _real world_ statistics. Don't look at shady organisations or teenagers in their basements playing computer games, go out into the the world. Get a tent and look at what the people around you use.

From my experience that's around 90% Linux on Thinkpads, around 10% Macs, usually paid for by the company and some very few Dells, some with Windows on.

0
0
Christian Berger
Silver badge

Maybe they just dumped flash?

Considering that most of those surveys are based on the logs of ad companies which probably mostly use flash, just dumping flash would greatly lower their perceived market share.

I mean that's why those surveys also show such low numbers for Linux.

0
0

South Korea to NUKE Microsoft ActiveX

Christian Berger
Silver badge

This is why you should never get proprietary standards

You will always find yourself in a dead end having to re-implement everything again.

Keep that in mind when installing proprietary telephones, or proprietary streaming services or proprietary operating systems.

10
1

Netflix teams with AWS to launch VHS-as-a-service

Christian Berger
Silver badge

BTW, Image fail

The VCR in the picture is a D-VHS one, the attempt to provide a digital variant of VHS. Unfortunately it was stopped by movie executives who demanded digital inputs to be disabled when those devices went to the manufacturer for maintenance.

Anyow, D-VHS would record something from 2.8 to 28 MBit/s so it's probably _much_ better than what Netflix currently offers.

1
0
Christian Berger
Silver badge

Actually I somewhere have a report on an early "video on demand" system

It as an experimental system installed at the headend of a pilot project.

You could order your movie via the remote. Then someone at the headend would run to the archive to get the tape, and put that tape into a VCR. You could then control that VCR.

0
0

Silicon Valley gets its first 1Gbps home bro– oh, there's a big catch

Christian Berger
Silver badge

The question is the upstream bandwidth

1GBit/s is rather pointless if your upstream is rather low. The upstream is what counts.

The typical example is watching TV over the Internet. If you only have 10 MBit/s you are not going to be able to provide more than a single SD channel over it.

2
0

Prostrate yourself before the GNU, commands Indian DEITY

Christian Berger
Silver badge

Re: Would The Reg please stop

> Do they realise how much FOSS gets used in commercial software these days? Or have they written their own in-house replacement for zlib? Try grepping, (oops, grep must be banned), searching for the BSD copyright strings in some of the windows executables like ftp.exe.

BSD code is kinda OK. No they don't use grep, they use a commercial tool called "Black Duck" which is hugely expensive.

> Oh dear, not that easy to escape, is it?

Yes, but they are trying hard. Instead of Windows, they have a special cut down version of it called "New Office". The top point on the feature list of a release I've seen was "Disable IPv6 support". We could only use IE and with special permission "Google Chrome".

The situation was so bad, departments routinely got themselves a "shadow IT" where they used some of their budget to buy laptops without the IT department knowing about. Our department even managed to get Internet access.

3
1
Christian Berger
Silver badge

Re: Would The Reg please stop

Well as usual many coorporations are _much_ worse than that. I used to work in a large appliance manufacturer with a "no FOSS" policy. This is because one of the owner companies was sued for violating the GPL because they didn't respond to a complain within 2 months or so.

License costs are actually rather irrelevant. What's more expensive is the lost productivity because commercial standard software often is inferior to its FOSS counterparts, plus a certain correlation between not using FOSS software in your mix of software and making rational decisions.

11
6

Ten things you always wanted to know about IP Voice

Christian Berger
Silver badge

Re: Needs better information on faxing

"But yes, as technology gets better we can expect traditional fax to disappear, something that the adoption of X.400 messaging (instead of SMTP) all those years back would probably have assisted..."

I doubt that with X.400 any of us could even afford E-Mail. I mean SMTP is so simple early servers even had a "HELP" command to explain the protocol to you. Now compare that to X.400 where you have a binary protocol based on ASN.1. The parser alone needs more code than a simple SMTP server.

0
0

How a hack on Prince Philip's Prestel account led to UK computer law

Christian Berger
Silver badge

Re: It was dail-up in more senses than the link....

Well you'd obviously modulate the dial pulses into beeps which wouldn't interfere with the downlink. The great advantage would be that you wouldn't need a microcomputer on the client side... which back in the 1970s was a very good point.

0
0
Christian Berger
Silver badge

The German version (Bildschirmtext, BTX) had a rather nifty logical flaw

In the early sets the user credentials were stored on a PROM inside the modem. This was done to prevent fraud and the use of non-licensed modems.

As soon as the modem would detect a carrier, it would send its login credentials...

However that modem could not detect rings. After all it was just meant to do outgoing calls. So what some people did was to get a modem for the answering side, call a BTX terminal at a trade show and wait till someone wants to dial into BTX. It'll then pick up the line, try to dial (which will be ignored), get your carrier, and send you its credentials.

3
0

Everything is insecure and will be forever says Cisco CTO

Christian Berger
Silver badge

Well... but we are talking about Cisco... this is the company which at least until recently, had all processes on their equipment run in the same address space.

This is also the company which installs cheap router grade software on expensive storage appliances, or the same company which sells VoIP telephones you can ssh into, but they have an authorized_keys file.... which they get via TFTP.

With Cisco there just isn't any indication that they care about security.

0
0

Forums