Feeds

* Posts by Christian Berger

2527 posts • joined 9 Mar 2007

14 antivirus apps found to have security problems

Christian Berger
Silver badge

Re: Illusory

Well the point about that new OS is that the code has been proven not to suffer from certain kinds of bugs. Since such a proof is very hard to do, they only did it with very little code, hence a microkernel. It is then hoped that a "secure" microkernel will be able to secure the rest of the system... which is not necessarily true.

However it is a big step towards security.

0
0
Christian Berger
Silver badge

Well it should be obvious

AV companies started their products in the 1990s, back when nobody was good at programming, at least not the people who programmed for Windows.

Then they keep putting layer on layer of complexity. First they only scanned files, then they scanned archives. They continue to mess around with more and more complex programs. If a team implementing a compression algorithm cannot get it right, why should a team also responsible for lots of other things, get a whole bunch of compression algorithms right.

Among security people, AV is seen as snake-oil. It cannot work in principle therefore they won't work on such projects.

Lastly to answer the question why browsers are harder to exploit and AV software: Browsers have been mostly open source for more than a decade now. Browsers are actively researched and exploited by a large variety of people. Compare that to AV software nobody who knows about security cares about.

2
1

Bitcoin on ATM? Pfft! We play DOOM on ours

Christian Berger
Silver badge

Re: Steam Punk Cool

Actually ATMs were among the first things standing around in public that had access to data networks. At least some of them were connected to ISDN lines where they would use x.25 over the signaling channel to verify their transactions.

2
0
Christian Berger
Silver badge

Yawn

It's old, and it's obviously rather easy if you can modify your ATM.

This series of pictures shows chess being played on an older OS/2 based machine:

http://www.ulm.ccc.de/old/projekte/bankomat/

Essentially the bank left a console window open.

4
2

Blighty will be BIGGER and BETTER than Germany, confirm beancounters

Christian Berger
Silver badge

From my experience working at a German "tech" company...

... this shouldn't be to difficult. Just get rid of all your MBAs and bad engineers and the remaining few will be able to work much more efficient. At least that's what you'd do to a German company to become competitive.

0
0

Bring back error correction, say Danish 'net boffins

Christian Berger
Silver badge

Re: FEC

Well the idea is that you use FEC spread across packets so you don't have to re-transmit a lost packet. So you spread the Information of 3 packets into 4 and can live with one in 4 being lost.

Lost packets can happen even with strong FEC with wireless connections.

0
0
Christian Berger
Silver badge

Well under some circumstances

Yes on high latency connections this could bring a considerably improvement. However it would require a new protocol, kinda an TCPwR (Transmission Control Protocol with Redundancy).

There are 2 Problems with this:

1. It won't go through unmodified NAT.

2. It can be hard to implement.

The first problem is particularly bad with "carrier grade NAT" you commonly have on high latency mobile connections, or mid latency consumer connections.

The second one is evident if you look at real life implementations of TCP/IP stacks. There will are ones, particularly in embedded systems still having severe problems. For example the Nucleus one just tends to drop connections without telling the application about it. Adding more complexity will cause lots of problems.

Maybe one sensible way of doing it would be to extend TCP in some way so connections could easily fall back.

5
0

Redmond in rapid rebuild after sysadmin request STUNNER

Christian Berger
Silver badge

I wonder how such a tool looks like...

...particularly considering that for many years the only way built-in way of reading the system logs was through a non-resizable window.

1
0

BSkyB slurps Murdoch's Italian and German Sky assets to beef up European pay-TV biz

Christian Berger
Silver badge

Re: What would be cool

Well I kinda have the same problem. In fact with the new satellite I'm even exactly in a null, so there is no hope of reception. I get by with a video disk service which gets me DRM-free files delivered via FTP.

Anyhow of course German TV averages about "Five".

1
0
Christian Berger
Silver badge

What would be cool

Is that they would just close down Sky Deutschland and replace it with Sky UK. Considering how bad Sky Deutschland is in everything except sports (which I don't really care for), that would be a real improvement.

0
0

Indie ISP to Netflix: Give it a rest about 'net neutrality' – and get your checkbook out

Christian Berger
Silver badge

We should outlaw DRM

If there wasn't any DRM, services like Netflix would easily cache via a transparent cache and we wouldn't have that problem.

Other than that it seriously makes me wonder how bad the infrastructure in the US must be that ISPs actually cannot get proper affordable upstream bandwidth.

3
0

Audio tech upstart DTS takes on Wi-Fi speaker juggernaut Sonos

Christian Berger
Silver badge

The questions are...

...is it an open standard, free of patents?

...is it easy to implement on your own without weird libraries?

Only you can answer those 2 questions with yes, it's worth investing into it.

0
0

US Social Security 'wasted $300 million on an IT BOONDOGGLE'

Christian Berger
Silver badge

Happens regularly in industry

However in industry nobody outside notices, except when the company goes bust because of it.

It's just customers money anyhow, so why should they care?

0
0

FRIKKIN' LASERS could REPLACE fibre-optic comms cables

Christian Berger
Silver badge

Actually light doesn't "bounce off" the edges of a fibre optic cable....

...at least not in anything "communications grade". Of course it will for cheap SPDIF-like systems, but if you want to reach high speeds you encounter a rather simple problem: The parts that bounce around will take considerably longer to arrive than the parts which go through straight through the middle. This may not sound like a lot, but it adds up. If you have a 100km cable a percent longer or shorter ways can really spoil your bandwidth.

Instead fibre optic cables actually work more like microwave waveguides by providing an environment where, ideally, only the wave you are interested in can exist. This involves lots of math.

5
0

HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert

Christian Berger
Silver badge

What did you expect?

Apple is one of the few companies that doesn't give out their source code. What other reason, except for betraying the user can there be for this?

I think we should ban binary only software. It's not just to much of a security risk, it's also a question of consumer rights. If I buy a car or a vacuum cleaner I have every right to modify it in any way I want. Why don't I have that right with software? Why can't I just patch out features I don't like or patch in features I'd like to have?

0
0

SK Telecom, Ericsson trial 'elastic cell'

Christian Berger
Silver badge

Yes, it's all in the LTE advanced roadmap

So they are, in a nutshell, implementing what is planned to be implemented for years.

Surely it's nifty technology, but it's barely news.

0
0

WTF is ... Virtual Customer Premises Equipment?

Christian Berger
Silver badge

Actually... I'm kinda doing that

I don't trust the router of my ISP and my ISP, so what I have is a tunnel to a rented server in a data centre. The NAT happens there an I connect to it via an OpenVPN tunnel. Of course DHCP and similar services still run locally.

However trusting your ISP in doing that is just foolish. ISPs have shown over and over again that they are not trust worthy. Just think of the BT incident where they replaced advertisements and tracked you. I think it was called Phorm.

1
0

There's NOTHING on TV in Europe – American video DOMINATES

Christian Berger
Silver badge

Re: You jest!

Seriously the BBC is great when compared to the rest of Europe. Even ITV is.

For example the BBC dares to bring shows like "Stargazing Live" at prime time. A show which is not aimed at the lowest common denominator. The BBC even experiments with things like "Hairdresser of the Year".

And ITV even has people with character, just think of Harry Hill. You may not like him, but at least he's not bland down like German show hosts are today.

0
0

Manic malware Mayhem spreads through Linux, FreeBSD web servers

Christian Berger
Silver badge

Re: What century are these guys in?

I think most Linux Distributions had autoupdate long before Microsoft even started that near pointless scrap of update mechanism they have now.

5
3
Christian Berger
Silver badge

Ahh, so it's PHP malware

This has very little to do with Linux and FreeBSD, but with PHP which makes it _really_ hard to write secure code. (at least a lot harder than writing insecure code)

15
2

Meet the 'smallest GPU' for wearable gizmos ... wait, where did it go?

Christian Berger
Silver badge

I don't even know if that makes sense

I mean sure, "smart"-watches had and will have displays, and in the future devices sold as "smart"-watches will have pixel based displays. However they are rather small, so it's hard to display any significant amount of information. What's even worse is that touch interfaces make it really hard to interact with them in any meaning full way. So I'm not sure how important this will be.

What might be more important would be voice recognition. Currently it's the only way to give semi-complex commands to a mobile phone. Maybe we will one day whisper to our watches - Michael Knight style. :)

0
0

Chrome browser has been DRAINING PC batteries for YEARS

Christian Berger
Silver badge

We should fix the underlying problem

Browsers are just so complex, they have such huge code bases nobody can properly understand them any more. Maybe we should go on, and split up a successor to HTML into 2 separate standards. One for "documents" and the other one for applications. Both would need to have to be as simple as possible to get rid of legacy bad design decisions like being able to execute code from other webservers than the one you load your HTML from.

Maybe we could then write a client for that new protocol in a browser, so there would be a trivial way to transition over to it.

2
0

Want to beat Verizon's slow Netflix? Get a VPN

Christian Berger
Silver badge

It's similar with Deutsche Telekom here

They don't do peering, so if you want to connect to them, they'll charge you as if you were their only upstream ISP, and they charge about double of what the competition does. Therefore, as far as I know, they aren't connected to Google or any of the large Internet exchanges.

However local hosting providers typically are connected to them as well as to the nearest Internet Exchange. So routing through your server at such a hosting company can make your Youtube work considerably better.

1
0

OpenWRT gets native IPv6 slurping in major refresh

Christian Berger
Silver badge

Finally!

Finally proper IPv6 support. Finally you can use this in "productive" home environments where you don't have a whole IPv4 subnet to distribute.

5
0

Hamas hacks Israeli TV sat channel to broadcast pics of Gaza wounded

Christian Berger
Silver badge

There are multiple plausible ways to do this

And since ElReg doen't go into the details, I think it's fair to give an overview.

The traditional way is to have a second, but considerably stronger uplink. You'd need to be at least about 10 times stronger, which is hard to do. In the olden days of analogue feeds to the uplink, you could even do this to the feed, which is much easier.

Then today many uplinks are fed via the Internet. RTMP can probably be spoofed with some effort.

The most plausible way might be an attack against the Playout Centre. TV-stations today, particularly small satellite ones, don't have people starting tape cassettes or reading continuity announcements any more. Instead it's all just files on disks which are automatically played and put on the air. There are commercial Playout Centres for doing this. Much content will still be shipped to it on tape, but commercials and similar fast changing material is simply uploaded via FTP. Now if you get access to that FTP server, it's trivial to swap out files. If you get the correct length, it'll play seamlessly just as if it was intended that way. If you don't, you might get some hickups.

Getting the FTP password might be done via malware or via an intern at the station.

9
0

Flaw in Google's Dropcam sees it turned into SPYCAM

Christian Berger
Silver badge

The spy is inside the device

It runs probably closed source code from a company known to store and process every bit of information they get. Even if said company is not evil, they are under US, and possibly even UK legislation forcing to hand over every bit of information they have.

3
1

NEW Raspberry Pi B+, NOW with - count them - FOUR USB ports

Christian Berger
Silver badge

Re: @Anonymous Coward

Actually most German online electronics stores have Raspberry Pies. Pollin is mostly known for surplus and used stuff.

0
0

Forget the mobile patent wars – these web giants have patented your DATA CENTER

Christian Berger
Silver badge

Re: Non-obviousness

Well, there are patent lawyers. And they just continue to nag the patent clerks until the patent goes through and the lawyer goes away.

For a patent conforming to your rules, you don't actually need a lawyer, it just goes through after the patent clerk kindly pointed out the errors you have been making.

0
0

LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more

Christian Berger
Silver badge

Re: Corporations (like Google) need to step up.

"Downvotes? What terrorist dislikes the "Art of UNIX Programming"?"

In my experience there is a violent branch of the C++/Java/C# fans that completely hates that book. Unfortunately some of them are now found in what is called the "Freedesktop" movement.

10
0
Christian Berger
Silver badge

Re: Corporations (like Google) need to step up.

BTW if you are interested in software design in C, read "The Art of UNIX Programming". It's a completely different mindset to the C++ one.

14
1

Another 'NSA-proof' webmail biz popped by JavaScript injection bug

Christian Berger
Silver badge

Browsers cannot be secure...

...since there the encrypted channel is based on public certificates. Though you can get something similar to certificate pinning with self-signed certificates, this can easily be subverted by using normal certificates.

What we finally need to do is to get GPG to be more usable and shipped by default with e-mail software.

1
0

Say goodbye to the noughties: Yesterday’s hi-fi biz is BUSTED, bro

Christian Berger
Silver badge

What will you do in 10 years with it?

I mean your typical component stereo system is not only much cheaper (when you use used components like speakers), but is also rather future proof. Analogue audio is like the text files of electronics, it just works and every device can speak it. Even SPDIF is widely used and understood by many vendors. Contrast that to some wireless solutions which depend on complex, sometimes even proprietary, protocols.

So the way those wireless multi-room systems are built today they are just suitable to extract money from hipsters.

4
0

How to make $7,000 a month and benefits: Be a teen tech INTERN

Christian Berger
Silver badge

The most important thing when you get such a job

...is to stop yourself from increasing your cost of life. It should be clear to everybody that such a job is only possible in a tech bubble where everyone pretending to be able to code can get a high paying job.

It makes sense to use that bubble to collect money for your future education, but be aware that the bubble will collapse eventually. Nobody knows if it'll be in 10 weeks or 10 years, but it will collapse. If you are prepared, you can then start studying and you will emerge wiser and without debt.

0
0

In space no one can hear you scream, but Voyager 1 can hear A ROAR

Christian Berger
Silver badge

Well the Japanese were good at doing so. I have a Japanese VCR from the mid 1970s which still works, except for one rubber part which needs to be replaced.

0
0

Vid shows how to easily hack 'anti-spy' webmail (sorry, ProtonMail)

Christian Berger
Silver badge

Re: Well browsers are not suitable for this

Yes, or a terminal. Why don't we have "GUI Terminals" to which I can send a simple form and they render it, have the user fill it out and return it. Kinda like HTML used to be before webdesigners took over.

0
0
Christian Berger
Silver badge

Well browsers are not suitable for this

Even if there was no cross site scripting hole in there, you could still get a fake certificate and do man in the middle.

The whole browser thing may need to be replaced by something much more simpler and based on actual security.

3
0

Panic like it's 1999: Microsoft Office macro viruses are BACK

Christian Berger
Silver badge

Re: Users, Who'd have 'em.

Well... VBA scripts give at least a bit of use to office products as they allow at least a little bit of automation. Of course in an ideal world, people would just use flat text files and the unixoid tools available.

4
6

Royal Navy parks 470 double-decker buses on Queen Elizabeth

Christian Berger
Silver badge

Maybe its to improve public transport infrastructure

I mean it's probably no problem at all to purchase 470 double-decker buses for a photo-op when it's about such a large ship. The cost of that is just negligible. While it's much harder to buy such buses normally.

So if you buy 470 double-decker buses out of the military PR budget, make that photograph, and then sell them to local communities for a symbolic price, you will have made a serious improvement to the public transport infrastructure.

0
0

Use Tor or 'extremist' Tails Linux? Congrats, you're on an NSA list

Christian Berger
Silver badge

Well the Stasi didn't have contractors. However people knew/suspected quite a bit. I mean back then it was all manual, so you could see the people following you around.

9
0

NSA man says agency can track you through POWER LINES

Christian Berger
Silver badge

It's a tool in their belt

As someone who actually did record the phase of the grid for extended periods I can say that it's plausible for certain situations.

First of tall the averaged frequency of all points in the grid is the same, however there may be some minor phase shifts. Those are however probably completely useless for this.

The harmonics also are much less useful as they might seem since those depend on your very local conditions, particularly when talking about the sound aspect of it. The type of "Loudspeaker" would probably completely dominate this.

It is rather trivial to fake this anyhow. Just record the hum of a the place and time you want, and filter out the original hum, then paste in the fake one. Alternatively you can just use notch filters at 50, 100 and 150 Hz and fill up the space with narrow band noise.

So yes, if I was the NSA I would do it, particularly since it's cheap to do (our setup at work was essentially some cheap Foxconn PC and a tiny bit of homegrown hardware to connect the mains and the output of our clock to the soundcard) and it might be helpful in rare cases.

2
0

Daddy, what will you do in the new security wars?

Christian Berger
Silver badge

> I consider software anything that directly accesses the CPU and has instructions for that CPU. Note that a script or other interpreted code is useless without the interpreter, which falls under the purview of a program.

That's what Google tries to do with the Chromebook. It's no use since then you'll just use security bugs in the browser. It just keeps people from actually running local software outside of the browser.

0
0
Christian Berger
Silver badge

> Operating systems shouldn't be able to run unsigned software - ever.

We already have signed malware. This will only prevent you from installing your own self-compiled software or software from a trustworthy source. Few trustworthy sources will pay the money for a signature.

> ... proper, trusted certificate chain - no self-signed rubbish

Do you know how much a proper certificate costs? Also today we know that at least one attacker can control the root, and we have seen several CAs being taken over by non governments, as well as customers of CAs being issued certificates far wider than what they should have gotten. The CA world is a terrible mess.

> Certificate revocation lists should be enforced as strictly as is practicable.

Even Google now knows that revocation lists are bogus and possibly even harmful:

https://www.imperialviolet.org/2014/04/19/revchecking.html

> Sandboxing should be made to work properly, stricly enforced, ... as long as they've been given explicit permission by the end users

Look at the mobile world. People will enable _every_ permission they are presented with. As long as you cannot patch out the features in the source code.

It seems like you've never seen the discussions in the late 1990s where "Trusted Computing" came along which tried to do all of this.

The thing that actually did bring security since then was "Free and Open Source Software". FOSS scared Microsoft into (partially) cleaning up their mess they called Windows. Today when software crashes because of invalid input it's considered to be not just an unimportant bug, but a security problem which needs to be addressed immediately.

0
0

Zero-knowledge proof crypto scheme divines truths from nothing

Christian Berger
Silver badge

@tempest8008

I don't quite see where the advantage of the double system would be. You need expensive machinery just to save you perhaps at most an hour. Plus you need to do audits. And you probably need to recount much of your votes anyhow since someone complains.

2
0
Christian Berger
Silver badge

Re: No E-Voting cannot be democratic

Well the point is, with electron computers it's trivial to make very hard to detect widespread manipulation, while pen and paper voting is hard to manipulate and easy to detect manipulation.

BTW, counting pen and paper votes is also rather quick and can be done in a very few hours. Most elections in Germany, for example, are counted within a single hour.

2
0
Christian Berger
Silver badge

No E-Voting cannot be democratic

And that has nothing to do with crypto.

The problems are much more basic. For example if you vote at home, someone can look over your shoulder so they will know what you voted for... effectively making it easy for them to buy your vote.

An even more substancial problem is trust and democratic verification. You can verify a pen and paper based system without any special knownledge. Everyone can understand it within a few minutes. So instead of having to have knowledge and capabilities in several fields (mathematics, electronics, programming, microelectronics) you can simply look at the process.

So this may have it's applications, e-voting certainly isn't one of those.

12
2

Microsoft's Windows Phone 8.1 world conquest plan: folders!

Christian Berger
Silver badge

Hmm, they bought Nokia. It may be that Nokia has some valid patents on it.

0
8

Send Bitcoin or we'll hate-spam you on Yelp, say crims

Christian Berger
Silver badge

Actually...

"A currency that can be transferred untraceably"

That's completely wrong. Bitcoin is based on the idea that everybody can see all the transfers. So you can trace them all. In fact if you take part in Bitcoin you have all the transactions stored on your harddisk. What Bitcoin Miners do is to certify those transaction.

Bitcoin is in no way even hard to trace. The only thing is that bitcoin wallets don't have names directly pinned on them. By that standard you could also register a company and open a bank account for it.

Again, Bitcoin is not anonymous, it's pseudonymous at best.

0
0

BOFH: You can take our lives, but you'll never take OUR MACROS

Christian Berger
Silver badge

Re: Bane of my life

I'm not sure about it. Yes it's used by many businesses, but the question is if it's used by important ones. I mean our civilization wouldn't suffer much if certain companies would cease to exist.

Your bakery or fish monger doesn't Spreadsheets to do their work.

0
0

DON'T BOTHER migrating legacy apps to the cloud, says CTO

Christian Berger
Silver badge

Actually, it might be

If you've got some old 1980s software running on some sort of Unix of VMS or something, it's trivial to get it "into the cloud". You simply put an SSH-terminalserver in front of it and people will be able to use it even over very slow connections... and on just about any device you can get an SSH-client for, which includes all real smartphones.

Also if your software survived from the 1980s till today, chances are it's fairly well designed.

1
0

What a whopper, LG: Feast your eyes on this 77-inch bendy TV

Christian Berger
Silver badge

Might make sense for a desktop screen

Since you are closer to the screen there, a curved screen makes a lot more sense there.

0
1