* Posts by Christian Berger

3707 posts • joined 9 Mar 2007

Remember that amazing video of the whale leaping out the gym floor and splashing down? Yeah, it was BS

Christian Berger
Silver badge

Well you need to do plausibility checks

And actually such augmented reality actually could, in theory, be possible if you extrapolate the technology we currently have, after all there's nothing absolutely impossible. You could, in theory, set up something like that with already existing equipment. It's just that often companies are simply not up to the task of doing it.

What I find more frustrating and noteworthy is that some people choose to believe other, more abstract, impossible things. For example some companies claim they can somehow build mobile devices that can store information "securely" without you entering a secure passphrase. This is obviously bullshit once you think about it. In order to encrypt and decrypt mass data you need to have some sort of a key. Now you either completely derive it from your passphrase (and some data being on the device), or you need to store it somewhere. All the data that's on the device can be read, even if it's on "security chips". All it takes is a moderate budget... which actually may be quite small for mass produced devices. (uncap the chip, add some traces on the FIB and you can brute force the PIN)

0
0

Real deal: Hackers steal steelmaker trade secrets

Christian Berger
Silver badge

Re: ThyssenKrupp said the attack was not attributable to security failings

"But some security failings can never be effectively policed, like moles."

No, but according to the accounts of people who worked there, they had extremely bad security.

https://www.heise.de/forum/heise-online/News-Kommentare/Massiver-Hacker-Angriff-auf-Thyssenkrupp/ThyssenKrupp-und-das-Maerchen-aus-der-Pressemitteilung/posting-29614397/show/

They didn't update their firewalls, they still used DES for their VPNs, they didn't separate their production LAN from their office LAN, etc...

"Is it really a security failing if it's one beyond anyone's ability to secure?"

You could as well ask if someone who hasn't learned to drive is responsible for the accidents they made. If you are unable to do something, maybe you should not do it... particularly not at such a company.

"Just like is it really anyone's fault if someone gets killed by a bolt out of the blue?"

No, but this is more like having your car unlocked and parked at a busy parking lot... and then complaining about it being stolen.

0
0

90 per cent of the UK's NHS is STILL relying on Windows XP

Christian Berger
Silver badge

Why not Windows PE?

Seriously it has all the features you need while consuming a low amount of system resources. There is no privacy concerns and it's even free.

I mean with Vista everybody knew that operating systems from Microsoft would go downhill. Even Windows XP had some serious disadvantages over Windows 2000.

One can also give this a totally different spin. Microsoft is charging money and system resources again for something they already delivered without providing any new functionality. They try to enforce them by refusing to fix any mistakes they made during the production.

3
5

China and Russia aren't ready to go it alone on tech, but their threats are worryingly plausible

Christian Berger
Silver badge

How many people do you need to build/design a computer?

The Cray I was built by about a dozen or so. So was the 6502. Considering you could go quite far by building something like a C-64, but with more modern production techniques, there would be a very plausible and efficient solution.

Just embrace simplicity and don't worry about efficiency at first. Efficiency is something that should only be considered early in the process if it gives you several magnitudes in speed. Split up your problems into domains, decide which domains need high security, run those on your own hardware. Find out the ones which do not and which require high speed (i.e. graphics output) and run those on isolated commodity hardware.

2
0

What can we use to hit Intel between the eyes, thinks Qualcomm – a 10nm ARM server chip

Christian Berger
Silver badge

Re: People don't buy x86 because of Performance or anything

"you *cannot* deploy an arbitrary Windows image on an arbitrary x86 desktop laptop server etc and expect the OS to work right."

Well that's actually a problem with recent (since 2000) versions of Windows. With other operating systems or even Windows PE, the version the installer runs on, this is no problem at all.

0
0
Christian Berger
Silver badge

People don't buy x86 because of Performance or anything

They buy Intel because there's a platform around it. It doesn't matter if you have an x86 processor from Intel or AMD or Cyrix, and it doesn't matter if you have a PC from Dell, Supermicro or IBM. You can use the same OS image everywhere.

Unless there is a decent stable common hardware platform, ARM will not get into the PC or server business. Nobody there can tollerate being limited in what OS you can use.

4
5

BlackBerry's final QWERTY floats past the rumour mill

Christian Berger
Silver badge

Blackberry never was an engineering lead company

If it was, they'd have an open standard allowing for 3rd party servers, right from the start. Their insistance on only allowing it to work with their own closed source BES was the reason why it ultimately failed.

Add to that the promis of security which was regularly broken, and you have a recepie for doom.

0
0

Axel Springer boss defends Facebook in fake news controversy

Christian Berger
Silver badge

One should note that Axel Springer...

...publishes quite some fake newspapers on dead wood. The most famous one is "BILD".

4
0

Internet of Things alliance LoRa: Licence to WAN? Yes please

Christian Berger
Silver badge

If you want to read an actual article about LoRa...

... I can recommend you issue 13 of PoC||GTFO

Why do most articles about "IoT" have to be so devoid of content?

1
0

Chap creates Slack client for Commodore 64

Christian Berger
Silver badge

Re: Fake Story

Well we need to be fair here. If you look at the Wikipedia page for "Slack" you'll notice that they probably needed more than 10 minutes to find out how to turn it on.

0
0
Christian Berger
Silver badge

Actually...

Reading the wikipeadia page on "slack" it seems like this would be something that should actually run completely on a C-64 with harddisk.

0
0

GET pwned: Web CCTV cams can be hijacked by single HTTP request

Christian Berger
Silver badge

Re: whistle blowers

I guess the developers just don't understand what kinds of errors they made. After all if they did, they probably would have avoided them.

2
0

Huawei Mate 9: The Note you've been waiting for?

Christian Berger
Silver badge

Re: Memory? removable battery?

This is not a technical review, it's a fashion review. It doesn't care about technical things like batteries or the stylus, it cases about things like how it looks.

Since most mobile phones are virtually identical from a technical standpoint, that's all there is to compare.

0
0

'Mirai bots' cyber-blitz 1m German broadband routers – and your ISP could be next

Christian Berger
Silver badge

The big problem is...

that Deutsche Telekom now poses as a victim, even though it's their fault.

Like many security problems their problem comes from risky behaviour, in this case a cheap, badly implemented router they didn't even bother to test properly.

A simple ACL on the box, which would prevent it from talking to anybody else than Deutsche Telekom, would have completely eliminated this problem at virtually no cost. After all they already get their custom firmware and custom cases from the vendors.

1
1
Christian Berger
Silver badge

It's complicated

Many companies resell their DSL and add their own router which they'd like to manage from outside the Telekom network. So you may have an IP telephony company renting you a CPE which turnes the DSL they buy from Deutsche Telekom to 4 ISDN T0 lines. That equipment needs to be remotely managed from outside the Telekom network.

Obviously the smart thing would be for vendors and deployers to restrict the IP-Ranges the connection requests are accepted from. Essentially a little ACL in the router would do... unfortunately despite that being a really powerful and easy to implement feature, hardware vendors tend to not use it.

BTW, Deutsche Telekom could have just used a rather decently secure alternative from a German vendor which wouldn't have been much more expensive. They chose the cheaper route and they chose to not test it properly.

3
0

Passengers ride free on SF Muni subway after ransomware infects network, demands $73k

Christian Berger
Silver badge

Well this was completely avoidable

I mean it's just extremely risky to put a system that can easily run code from any e-mail and doesn't even show "file extensions" by default into the hands of untrained workers.

If they would have just been a bit more cautious and, for example, provided their users with simpler systems where they cannot easily make such fatal errors. If everything fails, give them terminals for the business end of things.

3
4

2.1Gbps speeds over LTE? That's not a typo, EE's already done it

Christian Berger
Silver badge

"Exactly how far they can push it before they have to replace it with fibre is anyone's guess."

Actually not, Information theory provides us with ways to precisely determine the maximum rate of information over a channel given the SNR and the bandwidth. Depending on what values you assume (how much the old 1980s cables have rotten away) you get somewhere in the double digit Gigabit range, a tiny fraction of what you can get today via fiberoptic cables.

1
0
Christian Berger
Silver badge

"contention also applies for home wired (XDSL/DOCSIS/FIBRE) connections too."

Yes, but there you can easily avoid it by propper network planning. With wireless networks (and DOCSIS) you have severe physical limitations.

1
0

Demo may have frozen, but narrowband IoT stew is still piping hot

Christian Berger
Silver badge

It also involves idiotic design decisions

I mean NB-IOT would be ideally suited for e-mail as the communications standard between the provider and the end user. Since we are often talking about _really_ low bitrates (<1000bps), transmitting a datagram takes quite some time anyhow.

E-Mail is fast, typically an e-mail will arive withing the second. However it's also resillient against errors. If your mailserver is down for a couple of hours you will not miss a single e-mail.

0
0

A closer look at HPE's 'The Machine'

Christian Berger
Silver badge

Yes, but...

the IBM360 is still rather popular, and I believe this project can be easily compared to the IBM360, even to the point that if it fails, HPE might be no more.

0
0
Christian Berger
Silver badge

Actually a quantum leap will not be enough

A quantum leap is the smallest change a system can do. A quantum leap would be to take a conventional server... and remove a screw.

What's needed here is a revolution. The kind of revolution that used to be common in the 1970s and 1980s, where the "next" machine commonly was 2-10 times faser than the previous one.

2
0

Poison .JPG spreading ransomware through Facebook Messenger

Christian Berger
Silver badge

Facebook spreading ransomware...

...a company that owns its money by taking social relations for hostage spreads software made by people who take files for hostage.

7
0

Emulating x86: Microsoft builds granny flat into Windows 10

Christian Berger
Silver badge

Re: Erm DosBox...

Well actually, back when that Windows software was written 640x480 was an OK resolution with 1024x768 being about the maximum you can get.

If Microsoft was to either find a way to rearrange GUIs so they fit on those tiny screens, or bring out a mobile device with keyboard and pen, those software packages would be useful again.

Also there's a lot of software packages around for Win32 which are still maintained. They could still adapt the GUI without changing the rest of the system. This would give those applications a bridge.

Furthermore there's also quite some Win32 stuff, like VPN clients, which do not really need a GUI.

0
0
Christian Berger
Silver badge

Actually, now they are trying the shit that stuck

I mean if you look at Microsoft, the only thing that's consistently worked for the last 20 years was the win32-API on x86. If you wrote a program only using that in 1996, it's very likely it'll still work perfectly fine today. If you were smart, it won't even need any kind of installation or framework.

Now Microsoft is finally trying to do what they can do best, running win32 code.

To succeed you need to find something you can do well. For the iPhone this was shiny design, for Android this was the (broken) promise of having an open system. For Microsoft this always was running legacy code from the previous decades.

And it's always been that way, even if you look at the famous Windows 386 commercial, you'll notice that they are mostly running DOS software in their shiny new Windows 386.

https://www.youtube.com/watch?v=noEHHB6rnMI

Even well after the year 2000, people often ran DOS software for some applications.

0
0
Christian Berger
Silver badge

Re: Legacy %

"How many people need to run "legacy" apps? Most people use a browser, office, skype..... and not much more."

At home, maybe, but in companies legacy code is essentially. For example we use WS_FTP95 at my current company as the only allowed FTP-client. At a company I was before (from 2008) we were using Protel98, a electronic CAD package from 1998 with no plans to ever upgrade.

There's plenty of software run in company that will never be updated because it runs and because Win32 used to be more or less stable. In fact there are even many software packages like Praxident which where maintained over 2 decades, but assimilated all those old technologies which seemed hip at the time. Those packages use everything from OCX components over OLE Automation and direct access to printers, up to .net.

The Business market is still important for Microsoft. Office is one of their most profitable product, and companies are likely to purchase profitable service contracts.

The consumer market is long lost to Android anyhow.

3
0
Christian Berger
Silver badge

Finally!

Finally a reason to run Windows for ARM over Android. Now they only need to find a way to automatically adapt desktops UIs to make them usable on small touchscreen devices. Alternatively they could introduce a phone with stylus and keyboard.

The point is that they cannot out-iPhone the iPhone. If they want to succeed, they need to build on something only they can provide... in the case of Microsoft that's running legacy Win32 and Win16 code.

4
1
Christian Berger
Silver badge

Re: Lots of small companies stuck on X86

For most companies using Windows, Windows is x86. In fact even for Microsoft it kinda is. All the software distribution for Windows happens with binary files. Only .net adds some level of CPU independence.

1
0

Irish eyes are crying: Tens of thousands of broadband modems wide open to hijacking

Christian Berger
Silver badge

Where did ZyXEL get their reputation for providing usable hardware from?

That must be from back when they made phone line modems. We once had a couple ZyXELs in our lab. One couldn't work with PPPoE usernames containing a #. With another firmware it would randomly forget settings. Another ZyXEL was unable to adapt to one simple quirk in the SIP of a certain provider.

0
0
Christian Berger
Silver badge

Provisioning and maintainance mostly

For example when a customer complains, the call-center agent can see how bad the line is, etc.

1
0

Surprise! Another insecure web-connected CCTV cam needs fixing

Christian Berger
Silver badge

We _are_ talking about Siemens

...the company, that even in this century had software that stored settings in an SQL database... accessed by hardcoded credentials.

2
0

Hackers electrocute selves in quest to turn secure doors inside out

Christian Berger
Silver badge

There are actually guns available for this kind of thing

They are commonly used for testing devices, but obviously you can trigger them and do other things with them.

1
0

Samsung flames out as Chinese march on

Christian Berger
Silver badge

Well... that's to be expected...

If all companies are selling exactly the same product, you get something called "competition", which means that the company with the lowest overall price will win. The obvious solution against that is to diversify and have products that are different from the rest. However with that, there is no guarantee that those will sell well, you have to take a risk which is something modern companies cannot do.

2
0

The encryption conundrum: Should tech compromise or double down?

Christian Berger
Silver badge

Currently they aren't even trying

As explained so many times, if you have a budget (i.e. $100k) you can get around any of those mobile phone "security" measures.

Here is a public talk about the capabilities of the Dutch agencies from 2013. You will notice that this includes a FIB with which you can easily rewire any kind of security chip internally to keep it from storing a "usage" counter. Or alternatively to read out the encrypted key and the algorithm, and just do a bruteforce attack. (which is trivial if you have a numeric password)

https://www.youtube.com/watch?v=AVGlr5fleQA

Here's a talk giving an overview on how that can be done:

https://media.ccc.de/v/30C3_-_5417_-_en_-_saal_6_-_201312281245_-_extracting_keys_from_fpgas_otp_tokens_and_door_locks_-_david

Some of the most secure crypto devices on a budget are Pay-TV cards, and if you watch the Panorama documentary, you will find that different companies have been able to circumvent those measures several times in the past. The documentary is called "Murdoch's TV Pirates"

Logically to encrypt data stored on a device you need a secret. That secret has to be entered at least every time you boot, so it either has to be stored on the device, or derived from some stored information and some passcode. On a device without a keyboard, such a passcode cannot be particularly long and usually only numeric.

So if the industry actually wanted to provide a slightly more secure device, they'd offer it in 2 parts. One is the mobile part, which you carry around with you, but is essentially a terminal, the other one would be a device you can have at a physically safe space where you store all the data on and execute the actual code. Authentication would work via public keys (think of ssh) and the server would automatically remove the authorized key for the device if something is fishy, or after some time.

That way, if your mobile device gets stolen, you can simply remove that key, and the new user won't be able to get any of that data, no matter what they do.

I personally think that the "but we need to catch criminals" thing is rather stupid. Police did catch criminals before they were carrying around lists of contacts with them. In fact, people used to remember phone numbers and addresses inside of their head.

1
0

Windows cmd.exe deposed by PowerShell

Christian Berger
Silver badge

Problem of interfaces

Programming interfaces on DOS/Windows have always been one of the biggest problems. That's why it's not uncommon for Windows software to control each other by emulating keypresses... either directly by sending keyboard events, or by using the slightly cleaner OLE automation.

And yes, there's probably lots of software using batch files, as such scripts are an efficient way of dealing with files (i.e. renaming them) as well as handling configuration (just edit the script). Since most of the Windows software in use today comes from the 1990s, often with the company producing it being out of business for a decade, there is no chance of those getting rewritten for PowerShell.

It's just that the ecosystem around Windows doesn't work in a way that allows chance. Software is written by companies, who do not even release the source code. Those companies can disappear or loose their interest.Often they had to work around bugs, as for quite some years, Microsoft didn't release updates. Now if Microsoft fixes those bugs, they still need to maintain bug to bug compatibility with those old programs. This wouldn't be much of a problem, if interfaces were simple. A couple of syscalls could easily be implemented differently, that's how the unixoid operating systems manage to achieve binary compatibility. You can run Linux binaries on your *BSD computer to quite some extend. Microsoft's interfaces, however, are hugely complex. Instead of having simple overarching concepts like "character devices", every feature needs its own set of function calls, functions calls which need to expose a stable API. It's a nightmare to change anything there without breaking lots of legacy software.

4
0

Smart meter benefits even crappier than originally thought

Christian Berger
Silver badge

I could understand smart meters...

if I was getting the data from them, and not some shady business trying to build some pseudo business model on them. I can also understand the network operator to get real time anonymised data so they can control the network, but personalised data must only be sent in very coarse aggregation. (i.e. total sum of kWh or credits per month/year)

2
0

PoisonTap fools your PC into thinking the whole internet lives in an rPi

Christian Berger
Silver badge

Actually you don't need to trust DHCP...

There is no reason why you should run an DHCP client and believing its claim for a default gateway for network interfaces suddenly appearing.

I mean I can see a point for USB devices posing as a NIC in order to provide some user interface, but for gods sake, ask the user before you accept a new default gateway, particularly if you already have one. (ask if this new device provides Internet or something) Or better yet, don't automatically run DHCP clients on interfaces that are not configured.

4
0

Security bods find Android phoning home. Home being China

Christian Berger
Silver badge

Re: Therefore it is vital to be able to root your phone

They are root-aware as some dimwits believe that the security model of Android is worth more than the storage its documentation takes.

Since malware typically is shipped by the manufacturer and you can avoid installing malware via the crap-store, rooting is a sensible way to have a minimum level of security.

0
0
Christian Berger
Silver badge

Therefore it is vital to be able to root your phone

...so you can install iptables and make sure it'll be harder for it to communicate to anybody else than your server.

2
0

Dirty code? If it works, leave it says Thoughtworks CTO

Christian Berger
Silver badge

The problem is, often it's to late when you know you need to change it

Considering that there can be severe security related bugs in said dirty code, it makes sense to regularly clean up code you cannot understand.

If someone else finds a security bug in your code, it's to late.

2
0

Siemens to mentor Mentor Graphics in $4.5bn acquisition

Christian Berger
Silver badge

Re: I've worked at a Subsidary of Siemens using Mentor products

Ohh I should mention that the quality of Siemens software is also not particularly good. Their spiel is to use every obscure and currently fashionable feature of Windows, from VBX components over ActiveX to .net, and to use that in the most incompetent way. It's software that does trivial things, yet legs behind even the most simplest user input.

0
0
Christian Berger
Silver badge

I've worked at a Subsidary of Siemens using Mentor products

And I have to say Nucleus (the OS developed by Mentor) is _really_ bad. You can see that somewhere in the 1990s it was made by some decently clever people, then it descended into crud. Code we paid lots of money for was not even superficially tested and apparently written by idiots. You could see the bugs in the code by simply looking at it.

When I did some inquiries on why this was chosen over, let's say "FreeRTOS" the reply was that the decision to use Nucleus was made first, then some documents were written to claim that it's more suitable.

0
0

Google's crusade to make mobile web apps less, well, horrible

Christian Berger
Silver badge

Why not VNC?

(or some other play on the idea of a graphic terminal)

VNC only transmits the data you actually display, it's relatively simple to implement (compared to a browser) and it has much less space for security problems as it doesn't rely on server based code to run on the device.

Also VNC now uses by far less bandwidth than web apps. The only problem is latency... but then if you have a typical web app that loads data from 2 dozends of other servers, you're screwed on a high latency link anyhow.

0
0

CERN boffins see strange ... oh, wait, that's just New Zealand moving 2m north

Christian Berger
Silver badge

That sinoidal signal in the CERN data...

...is that because of the changing orientation of the device relative to the Aether? ;)

4
0

Google Pixel pwned in 60 seconds

Christian Berger
Silver badge

This is what you get when you make the problem more and more complex

Eventually your developers won't be able to handle it any more. This is a bit like the "Peter-Principle" where people get promoted until they are utterly incompetent at their position... causing all the positions to be filled by people just barely competent enough to not be fired.

With software, developers like to make things more and more complex, up to a point where they are barely able to handle it themselves. Android is a prime example, its core roughly has the user exposed functionality of Windows 3.1, but achieves this with several orders of magnitude more code.

1
0

Apple, Mozilla kill API to deplete W3C battery-snitching standard

Christian Berger
Silver badge

Re: It's one standard in a long row of idiotic web standards

"They'd still use all the cruft. It'd just be implemented with proprietary plugins."

Yes plugins, one of the earliest browser misfeatures.

0
0

The hated Trans-Pacific Partnership trade deal will soon be dead. Yay?

Christian Berger
Silver badge

Much cleaner rules?

I'm sorry, but at least CETA is a huge mess, far larger than what could be understood by a single person. I doubt that TTIP is significantly shorter than CETA.

The big issue nobody seems to address is that TTIP, like CETA at best tries to freeze a status quo, even though more and more of the population now realize that the neo conservative world model does not work for them. We have changing times, and unless we have the ability to react to them in a normal and sane way (i.e. Sanders) we get the result of people wanting to just smash the system as they cannot do anything else (i.e. Trump). If you don't provide democratic means for this transition, it'll end in chaos.

4
0

Robot solves Rubik's Cubes in 637 milliseconds

Christian Berger
Silver badge

How complex is that problem anyhow?

I mean is the problem bounded by CPU time or by how fast you can twist the cube?

1
0

Trump's taxing problem: The end of 'affordable' iPhones

Christian Berger
Silver badge

Actually it might bring the opposite

I mean for many companies import duties won't actually matter. Large International corporations surely will find ways to dodge any import duty, as they can simply avoid crossing US borders.

There might be another point. Large companies might move out of the US and set their headquarters somewhere else. Some highly qualified employees might move them, while others might simply quit... bringing a lot more decently qualified people on the "market". They might perhaps found their own company, or work at another company raising the average of skill there.

In any case, there is not much telling what Trump will actually do.

19
0

RIP EarthLink, 1994–2016: From AOL killer to regional ISP's attic

Christian Berger
Silver badge

It was a much different time back then

Back then people escaped their walled gardens to be on the open Internet. Now many people go to walled gardens such as Facebook.

Perhaps one thing is still the same. People using "online services" such as AOL were often regarded as the less smart ones, the conformists, the people who don't quite think for themselves. It's still like this with Facebook in some regard. More and more people apologize for being on Facebook or say that their account is just there for some legacy application.

It's a discussion that goes on for decades. The official magazine of the Chaos Computer Club already posted the question if it's right to be on "commercial mailboxes". Back then it was about "BTX" the German version of "PRESTEL". (had much fancier graphics conforming to the latest standard for teletext)

https://www.youtube.com/watch?v=iBfvIh2K4G0 (it even impressed aliens back then)

1
0

Was IoT DDoS attack just a dry run for election day hijinks?

Christian Berger
Silver badge

There is one error in that article

The election is not actually important. No matter who wins, the people in the US and the rest of the world will loose.

9
1

Forums