Feeds

* Posts by Christian Berger

2583 posts • joined 9 Mar 2007

Brother, can you spare a DIME for holy grail of secure webmail?

Christian Berger
Silver badge

That's not much saver than what we have now

Today most mail servers already use TLS for all their connections, so only the involved servers see the headers. Of course those are self-signed certificates... but for governmental attackers that's no less of a problem than actual ones. In both cases you need to do an active attack which is potentially visible.

Same goes for any sort of "encrypted webmail service". Even if the browser was a secure environment, once you can break TLS you can send any Javascript you want over that connection.

So what shall we do? I believe we should make GPG more user friendly while keeping it compatible with what he have. For example the default configuration of Enigmail could always attach the current active key for the sending address, plus it could automatically store public keys it got from e-mails that were signed. In the default setting it would then try to make smart decisions on which keys to use when. So if it recently got a signed e-mail from someone you'd send back an encrypted one to that address.

Of course you should still be able to do everything manually, if you choose to do so. Also for mobile devices you could do key exchange via QR-codes.

The point is, we already have good infrastructure, which was not designed by idiots. Redoing it now again risks that it'll be done by the current flood of idiots who think that earning their money in writing shitty apps for mobile devices and reading a the Wikipedia page on Cryptography makes them suitable for designing systems that should protect peoples lives.

1
0

Intel's Raspberry Pi rival Galileo can now run Windows

Christian Berger
Silver badge

"Smart TVs are the rage. but for some reason, clunky and really needing some improvements. My point, there is room to grow in that area. MS could really hit a home run in this evolution if they could just push aside the 800 pound gorilla. I dont want Windows on TV, I want an interactive TV menu that makes me wonder "How did I get along without it"."

Well for that Microsoft would have to:

1. have a clue on how to do it, which is much harder than you'd imagine

2. be able to have that clue somehow survive through the company and reach the people who are in charge

Particularly point 2 is not likely to do happen at any time. Microsoft just is far to large for that.

2
0
Christian Berger
Silver badge

Re: Windows fans?

No that should be:

Linux has fans and users

Windows has mostly sufferers

So far most of the Windows users I've seen seem to suffer from it. They are constrained by the arbitrary limits it imposes and more or less fight with it over trivial problems. Just read Trevor Pott's articles where he fights to do trivial things like getting e-mail out of an e-mail server. Things which on any other platform just require a single line typed into the command line... or dragging and dropping a folder in the GUI.

Of course there is also a group of genuine Windows fans. Those people actually know Windows and do things like porting Windows CE onto the Raspberry Pi (at least they claim to do that) or bypassing the Win32 API and directly talking to the kernel.

Then of course there are the Windows fanbois. People who have no idea about Windows, but just irrationally like it very much. That seems to be a much larger group than the genuine fans. They may have tried to install some 10 year old Linux distribution on overly exotic hardware... and fail, which they use as justification for thinking Windows is the best thing EWAR.

6
5
Christian Berger
Silver badge

Re: What software will it run?

I'd say the vast majority of software for Windows was long abandoned before 64 bit Windows came around. And the software that's not yet abandoned couldn't afford to cut Windows XP users out.

On the other hand, only very few types of applications actually profit from the larger 64 bit address space.

Additionally, Microsoft removed Windows support from their 64 bit versions. So your normal 16 bit applications won't run anymore. So I can understand large parts of the Windows market still being on 32 bit, particularly in the business sector.

5
1

Microsoft: Azure isn't ready for biz-critical apps … yet

Christian Berger
Silver badge

Actually not the first time

Microsoft continued using mostly using foreign Unix based system well into the 1990s. It's comparatively recent that Microsoft uses their own products internally for things that count.

2
0

TV transport tech, part 1: From server to sofa at the touch of a button

Christian Berger
Silver badge

And all of that effort, just because of the lack of multicast on the Internet...

...and a severely broken copyright system which forces/allows TV stations to limit their broadcast area.

Just think how differently radio on the Internet is. Today you can tune into virtually every radio station in the world from wherever you are. It's like shortwave, only often in "better than FM" quality.

We could have the same with television. The step from 128 kbit/s audio to 1024kbit/s video isn't big enough to make it infeasible.

Television used to be different. Back in the 1990s, you just started your TV station and put it onto a satellite. Everybody in Europe could just receive it. Television was a lot more European, it didn't know as many boundaries as it does now. Today when I order "Cartoon Network" in English on my cable company, I get a monstrosity known as "Cartoon Network Deutschland", which has very little to do with the real "Cartoon Network" as it only shows shows which have been dubbed to German... which means that those shows have been shown on other channels for years and are continuously repeated. The result is something more akin to "Pop" than Cartoon Network.

5
2

Munich considers dumping Linux for ... GULP ... Windows!

Christian Berger
Silver badge

Apparently the problem is more "botched administration"

At least that's according to what the people working there actually complain about. That's something that can, unfortunately, now be found for every platform.

One bizarre complaint was, that people couldn't get "mobile devices" quickly... which is actually more of a sign of decent administration since it's good practice to not let every insecure device onto your network.

People usually take that for granted on Windows.

3
2

Hackers' Paradise: The rise of soft options and the demise of hard choices

Christian Berger
Silver badge

Uhm, no

Well first of all most of todays computers have MMUs. Virtually every slightly more modern mobile phone has one and certainly everything that runs Linux. And yes I think we all understand how MMUs work, and what vital work has been done in the last years to improve on it.

"License plates" or other identity schemes where you have to show your passport to get to the net, won't help anything. Just look at malware like WhatsApp, you can find out who made it, but that's of no use, you still cannot get the malware aspects out of it. The only thing this helps with is make it easier for governments and companies to track the opposition. There are people whose life depends on anonymity.

What we need to do instead is to make computers more secure. We are already much better at this than we were in the 1990s, except on Windows and mobile phones. Instead of misinformed grumbling we should go on on that path and make our systems even more secure. We need to understand where our current weaknesses are and find out ways to circumvent them.

1
0

Top Gun display for your CAR: Heads-up fighter pilot tech

Christian Berger
Silver badge

This feels very retro-futuristic

Like sci-fi series where people live in stations on the moon, but only have one computer on that station and communicate via videophones with monochrome CRTs.

Come on, we shouldn't need this by now.

Even ad companies can now build self-driving cars. Trains and buses have reached a point where they are far more reliable and safe than cars. We shouldn't have large parts of our population driving around regularly in cars. It's 2014 not 1964.

3
1

Detroit losing MILLIONS because it buys CHEAP BATTERIES – report

Christian Berger
Silver badge

Re: Only a complete idiot...

Plus you should design battery operated devices to work on a larger range of voltages. Such parking meters wouldn't work reliable with rechargable "9V" batteries since they often just have 8.4V. Ideally you'd a little step up converter inside and make them work with a single cell. That way you avoid the problem of a single bad cell among several good ones bringing down the whole battery.

16
0

Time to ditch HTTP – govt malware injection kit thrust into spotlight

Christian Berger
Silver badge

Re: SSL is a good thing

Well you can always use self signed certificates. They have little security disadvantage over the ones coming from a CA... unless of course you believe ALL the CAs you trust are somehow all trustworthy and totally secure. If one of those is compromised you are back to the security level of self signed certificates.

14
0
Christian Berger
Silver badge

Well, but in this case HTTPS wouldn't help

Most governments already run their own CAs which means they can easily issue fake certificates which will be accepted by the browser. So if you already do man in the middle, it's trivial for a government to just intercept that. We already see that in some countries.

The big problem is the CA system in SSL/TLS. It relies on hundreds of organisations to all be trustworthy. Therefore I'd go for a system like in ssh where you see the fingerprint of the public key of the host and once you've connected to it, your computer will remember it. That way an attacker would have to continuously and reliably do a man in the middle.

SSL/TLS is only really good against passive attacks, and for that you don't even need the CA system. Perhaps we should make browser display the public key of the host as some kind of graphics. Sure it would just be a pattern of dots or something, but it could be done in a way that's easily recognizable. Or maybe we extend the URL standard in a way to include some public key information. Such longer URLs could then be promoted via QR codes.

19
0

CIA infosec guru: US govt must buy all zero-days and set them free

Christian Berger
Silver badge

Re: Software liability is not a new idea

Yes but apparently his point is that if you have software where you can "remove features you don't want", i.e. open source software, you aren't liable. This makes it very feasible as there is no reason for not distributing your source code anymore, except for malware.

0
0

Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar

Christian Berger
Silver badge

Re: We should finally invest in defence

Actually the thing with the stack pointer won't help against stack overflows and is in fact done by the computer. In short it guarantees you that pushes and pops to the stack will be symmetrical.

C also does things like automatically make sure that if you add a float to an integer, the correct "float to int" adding will be called instead of just seeing the bits of the float as an integer or vice versa.

0
0
Christian Berger
Silver badge

About distributing software in source only

Well we currently have the problem that compiling software is a slow and error prone thing, that's why installing Gentoo will typically greatly increase your power bill, but let's imagine we'd live in a world where compiling is fast and easy. So fast that your operating system and applications could actually compile from source while starting. Sure that sounds crazy, but it's what Forth and Javascript people are doing.

Now what if whenever you do an update, you actually get to see the changes. Just like with Eclipse you could simply see the changes between the old and the new version. Such changes are much easier to understand than the rest of the software. Of course 99.99% of all people would just accept them without even looking. However with the millions of computer users, 0.01% still amount to hundreds to thousands of people. Compare that to the few people who look at patches today.

There are lots of people who, while not proficient enough to actually write their own code, know enough to be able to spot code they may not want. Those people can then just refuse to accept certain parts of the code.

For other people this may be an introduction to reading code. If it's just a click away people might start looking at it, and it'll gradually make sense to them. Computing would change from some "magic box" to something we all can take part in.

1
0
Christian Berger
Silver badge

Re: We should finally invest in defence

> We've known how to prove code for decades. The trouble is - it's ruinously expensive.

Well not necessarily. Certainly hand proving your code, which is done in some areas routinely, is rather expensive. However there are little things where automatic proofs are already extremely common. Many languages, for example, will make sure that your stackpointer is at the same value it used to be before a function call. (unless you do some really weird things) This may seem trivial, but it helps preventing certain problems.

There is research going on into how to make proving more complex things easy. One idea is, for example, to have useful types. For example your compiler and system could know that a certain memory location contains an integer, which is a prime number. Your compiler could check the code path, and insert code to check this condition where necessary. It can even can throw a compiler error if you try to write in the exit value of a function that does not produce primes.

Futhermore you could have tags to your types indicating how this data can be moved. For example every word of memory you have could have a type tag which allows you to set that word to be "private". A "private" memory word would stay private during normal operations. So if you add 5 to it, it would stay private. Your network card would refuse to transmit words marked as private. However a special privileged function could, for example, encrypt it and turn that information public. That way you could guarantee that no information marked "private" ever gets out unencrypted.

Essentially the current attempts boil down to the idea that you give your compiler hints on how it can check if the code is right. Early starts to this are "const" attributes to variables in C.

0
0
Christian Berger
Silver badge

We should finally invest in defence

We should make computers simpler so they are less vulnerable. We should quit making highly complex standards. And we should learn how to prove code.

Also we need to stop distributing software without source code.

3
0

Google's ANDROID CRUSHING smartphone rivals underfoot

Christian Berger
Silver badge

Fascinating...

....how Microsoft actually managed to lower their market share by bringing out a product that's even less desirable than the old Windows CE-based devices.

18
0

Password manager LastPass goes titsup: Users LOCKED OUT

Christian Berger
Silver badge

Re: It's even less secure than an unencrypted passwords.txt file

"It doesn't work like that, because that would be moronic. Instead the encrypted blob is sent to your PC, where the password is used to decrypt it in-app."

Yes, if you are unlucky that app is just some Javascript on a web page which will be loaded anew each time you visit the page and can be tailored to you specifically. Since the CA model is broken, more sophisticated attackers can even replace it without the knowledge of the developer.

If you are a bit luckier, you have an actual app, however that can still be updated by the developer... or whoever else has access to the chain of trust bringing you that code. Updates on todays operating systems are done in binary form making it extremely hard to see what has actually been changed. So it's completely plausible that you as the target got a special version which sends out your master password, along with the encrypted blob, to some 3rd party server.

Software distribution is, unfortunately, severely broken on commercial systems. Even having a list of the source files that have changed between versions could make a big difference to the security conscious end user. Having access to the diffs could bring actual security, at least to educated users. It's comparatively easy to look at a patch in code.

1
0
Christian Berger
Silver badge
Facepalm

It's even less secure than an unencrypted passwords.txt file

Just think of it. For a foreign party (e.g. your local secret service) to compromise that unencrypted file, they need to compromise your local computer. Either remotely or via hardware access. If they can do that, it's trivial to sniff the master password you enter into one of those services to get to the other passwords...

Additionally there is the thread of the service delivering malware. While Javascript usually cannot break out of the browser, it can surely send the password you enter to the service as well as decrypt your passwords locally. All of this can be done selectively for certain users, and US law probably can even force services into doing this without telling their users. If this is only done for a select few, chances are it'll never be detected.

So seriously, instead of using such a service, it's far better to use a passwords text file.

2
1

Chinese Bitcoin farms: From scuzzy to sci-fi

Christian Berger
Silver badge

You could build Bitcoin heaters

After all it's just a waste turning electricity into hot air. You could easily build a water heater which, instead of just having some wire heating up, having some computer mining Bitcoin.

2
0

NIST wants better SCADA security

Christian Berger
Silver badge

Re: My SCADA is already secure, ta you very much.

Ohh you've missed a generation.

In between there was OPC, OLE for Process Control. A grand plan to make everything interoperable... based on OLE and DCOM. Of course it didn't actually work and now there are dozends of companies adding trivial features like logging to those systems. Oh and guess what, DCOM has little security features, and the few it has are typically deactivated... meaning that you can not just control your special SCADA software, but probably also other OLE software on your system. OLE was one of the backbones of Windows back in the 1990s.

So sure, text based SCADA kit with 9600 baud would be much more secure, in fact you could even hang them onto a small Linux system running SSH for network access.... but that won't bring you flashy graphics you can watch on your iPad.

2
0
Christian Berger
Silver badge

In the Meantime...

...have some SCADA in the cloud. No, I'm not joking. It's a real thing, you can look it up. Usually it runs on Microsoft Azure.

3
0

Google leaves STUPID vuln on Nest devices

Christian Berger
Silver badge

Re: Not to downplay the security hole....

Plus in 30 seconds you can probably just replace the device with an identical looking one that's bugged. Or you could implant a bug into one of those.

3
0
Christian Berger
Silver badge
Facepalm

Re: That's actually a feature I'd want

"In a world where most people aren't developers, most people will always run someone else's code."

You're completely missing the point. Of course you won't have to security audit all the code you are running yourself, but you can get code from other trusted sources. Just like people now replace their Windows XP or Windows 8 with some Linux, or replacing their manufacturer branded Android with Cyanogenmod, being able to choose what software runs on those devices is a good thing.

Just imagine Google deciding to "upgrade" the software to display ads. Or to sell off the data they collect from those devices. Just because Google doesn't do this today, they could one day get into financial troubles and be sold to a company having other ideas. In the 1990s nobody would have thought IBM would sell off their PC division.

And seriously, how is the mentioned "security hole" even a security hole. If you have 10 seconds alone with such a device, you could also simply replace it with an identically looking other device. Or you could just stick on additional hardware to it.

6
1
Christian Berger
Silver badge

That's actually a feature I'd want

I'd not want to run such devices with some Google software which is designed to spy on me, but with a software coming from a source I trust. In fact since the task is rather simple, I'd want to be able to write my own software to get onto those devices.

It's not a security vulnerability, it's a security feature. Running your own code means that you can get rid of all the security problems the manufacturer put in there.

We must stop seeing "running your own code" as a security problem, since "code is law" and only if you can decide what code a device runs, you truly own it. Seeing more and more devices going against the will of the person who paid for it, that's a really important thing.

8
5

Microsoft: Just what the world needs – a $25 Nokia dumbphone

Christian Berger
Silver badge

Re: If it can execute J2M...

Well so far, the only feature I missed from J2M was the ability to go into suspend when a program was running. Surely that can't be a technical problem.

0
0
Christian Berger
Silver badge

If it can execute J2M...

...and go to sleep while doing so, it may be a serious competitor to their higher end line. After all there probably still is more J2M Software out there than software written for Windows Phone.

1
0

AMD's first 64-bit ARM cores star in ... Heatless in Seattle*

Christian Berger
Silver badge

Re: Finally a standard for booting

I disagree, from all I've heard the specification itself is already far to complex to ever be implemented correctly. I mean the reference implementations are already larger than the Linux Kernel... and those implementations don't include any drivers.

It just seems to be a heck of an overhead just to do booting and hardware support. OpenFirmware did the same, much more cleanly with much less code.

Maybe we should stop comparing EFI with the IBM-BIOS and instead compare it to something that actually was "state of the art" at one point.

6
0
Christian Berger
Silver badge

Finally a standard for booting

Finally you are likely to be able to run the same image on several devices... the only problem is that it's based on UEFI, a system more complex than the Linux kernel.

13
1

Chromebooks to break out of US schools: Netbook 2.0 comeback not just for children

Christian Berger
Silver badge

Uhm, it's hard to see what advantages a Windows laptop would have over a Chromebook. So it does make sense for people using Windows laptops to switch to Chromebooks.

14
12

Ofcom sees RISE OF THE MACHINE-to-machine cell comms

Christian Berger
Silver badge

How do they know?

The M2M project I've been involved in used cheap pre-paid SIMs from ALDI. There's no way they could know what we use it for.

0
0

GCHQ recruits spotty teens – for upcoming Hack Idol

Christian Berger
Silver badge

Re: Start tracking them young

Well it doesn't matter if they _want_ to do it. Because of information asymmetry they can simply be blackmailed into such positions.

This is why the Chaos Computer Club heavily advises against any sort of such cooperation. There simply is no way you can win in such a situation.

1
0

Blackphone rooted at BlackHat

Christian Berger
Silver badge

I wouldn't have expeced otherwise

The Blackphone went down a wrong route. It's just a slightly modified standard phone.

The problem with that is complexity. Mobile operating systems are orders of magnitude to complex to be secure. More complexity means more errors, and more errors mean more security critical errors.

Another problem on those devices is that you have several instances of "binary blobs", code running with very high privileges, facing outside, but having never gone through some sort of security audit.

If you actually want to have a secure device, you need to design it differently. One important thing is to spread out your hardware to different components connected via simple interfaces. Todays mobile phones often have their GSM/UMTS/LTE baseband connected via shared memory or USB, this means that once the baseband is is compromised it's plausible it can attack the application processor, and therefore read out all the keys... or just fake the display.

If you had a simple high speed serial port running a much simpler protocol like PPP, this becomes so hard it gets implausible.

You could have each function of your mobile phone done by an independent microcontroller. The software running on each of those would be simple enough that it would be essentially bug free, so it wouldn't need to be updated. Simple protocols could reduce the attack surface even more.

Without any need to update your software, you could just embed your electronics in transparent resin with a bit of glitter. That would even make the hardware tamper evident.

Then you could greatly simplify the software architecture. Since it'll always be possible to get keys out of your device, and since the CA concept of TLS is severely broken, you could just limit the communication of your device to a single server you own yourself. Since you can exchange the key in advance, you can simply use symmetric encryption. Securing a server is much easier than securing a device that's inside your pocket.

4
2

Facebook slurps PrivateCore - 'cos your selfies need locking up

Christian Berger
Silver badge

Actually PrivateCore seems to be complete Snakeoil

They claim to have security benefits by encrypting RAM. They claim to do this by having a "secure hypervisor" in CPU cache. Which is hard enough to do, but they don't seem to have any actual credentials in security.

The way they are trying to get around the obvious "boot another OS" attack is by using bootloaders that only run signed code... something that may sound good in theory until you realize that it typically depends on certificate chains... which have so far failed in so many places and are regularly exploited on the Internet. It's not designed to protect the user, but to protect business models.

In essence, they are running more code, which will mean more bugs and therefore more security critical bugs. There's very little security benefit in that.

1
0

'Up to two BEEELLION' mobes easily hacked by evil base stations

Christian Berger
Silver badge

Well looking at it more realistically...

The "GSM" baseband is very complex adding layer upon layer of code trying to implement standards which are in part badly designed.

Added to that is the principle that the network is always trustworthy, so those implementations were never tested against malevolent networks.

What makes this a really big problem is that some mobile phone manufacturers use shared memory to have the baseband talk to the application processor. So if you take over the baseband CPU you'll likely be able to compromise the rest of the system.

0
0

Brit kids match 45-year-old fogies' tech skill level by the age of 6

Christian Berger
Silver badge

Re: I call bollocks.

The problem is that we are increasingly cutting off people from accessing what's below the shiny surface. In fact on many mobile devices you don't even get to have root access by default.

Compare that to the home computer era. Sure most people used them to play games, but once you turned them on, you were presented with a fully fledged command prompt in the form of a BASIC interpreter.

13
0
Christian Berger
Silver badge

Using pre-made services doesn't represent a skill

Just like turning on a TV isn't much of a skill.

51
1

Russia, China could ban western tech if they want to live in the PAST

Christian Berger
Silver badge

It's a tradeoff

A computer that's a factor of 2 slower, but secure seems like a great tradeoff. I mean there are people willing to trade in much more performance for much less security benefits. Just look at antivirus users.

4
1

Facebook wants Linux networking as good as FreeBSD

Christian Berger
Silver badge

Re: Git Gud!

Well actually you don't even need to be good, you just need to not be a total idiot. So far his outbursts all just went against idiots.

10
0

Australia's metadata debate is an utter shambles

Christian Berger
Silver badge

Re: The envelope analogy

Actually there are systems which do just that. Such systems are sold today. After all cameras already scan every envelope to try to figure out where it should go.

0
0

Tiny steps: HTTP 2.0 WG looks for consensus

Christian Berger
Silver badge

Re: Encryption with SSL is problematic

I don't see how that would work. TCP is rather good at streaming data over long latency connections. You just push in your data and it'll come out with the latency of the line. Having a bit more or less data wouldn't change the latency.... Besides there are Websockets for that kind of thing.

2
0
Christian Berger
Silver badge

Encryption with SSL is problematic

We all know that SSL is broken in so many ways that we actually should just abandon it and replace it with something more like SSH. Mandating SSL will only slow down that process, plus it'll cause lots of problems.

I do not see a point for compressing headers. The web isn't slow because we use a text based protocol that's uncompressed. The web is slow because idiotic web designers spread their contents across dozends of domains (causing DNS queries) and bloating the headers with cookies.

3
2

BlackBerry boss John Chen: We're FINISHED (with the job cuts)

Christian Berger
Silver badge

Re: Last time somebody told me that...

Well Blackberry is needed to lure people into what is probably the easiest plattform to have access as, as a large attacker. I mean they even sent the e-mail passwords to a Blackberry server. The intended usecase involves a "Backend Server" which runs on Windows with System rights.

It's just like saying "Google Mail is bad, let's all switch to De-Mail".

0
5

HUMAN RACE PERIL: Not nukes, it'll be AI that kills us off, warns Musk

Christian Berger
Silver badge

The problem probably is profitability

I mean we already let computers make decisions which are bad for society, for example in high speed trading. As long as this is not explicitly forbidden, corporations will go on doing this.

Corporations themselves are like machines. Although the individual parts are humans, the whole thing behaves like a being. That is why corporations must never be half-treated as people as its done now in the US, where corporations can do nearly everything people can, but they cannot be sent to jail. If you send an individual of a corporation to jail, it'll simply work around that missing part.

9
2

Free 2004-spec AS/400 pops up in the cloud

Christian Berger
Silver badge

It's still surprisingly popular in Germany

So far every large furniture store I've seen had one, as well as some large electronics stores.

1
0

Cisco patches OSPF bug that sends traffic into black holes

Christian Berger
Silver badge

There's always a slight chance...

that Cisco actually fixes their bugs.

The strategy of the NSA is not to do the bare minimum to get to the data, but to do everything they can. So they probably knew about such bugs, but still added hardware... just because they can and they want to have redundancy.

1
1

It's official: You can now legally carrier-unlock your mobile in the US

Christian Berger
Silver badge

Re: It's nice to see people are chipping away on the DMCA

Well of course the US pushed the DMCA. However if you go to a politician outside of the UK, they will always refer to the international agreements.

For an US politician international agreements are not an argument, they just want them to make life in other places worth and just ignore them when they become problematic.

0
0
Christian Berger
Silver badge

It's nice to see people are chipping away on the DMCA

Unfortunately the US is probably the only country where this is possible, since there are braindead international contracts which are used by other countries to argue against abolishing their local DMCA versions. In the US nobody cares about international law.

0
8

14 antivirus apps found to have security problems

Christian Berger
Silver badge

Re: Point of Issue

C is a powerful tool in the hand of capable people. It's natural environment is UNIX and simple systems.

One should notice that good C programmers don't program complex things in C. This may sound paradoxical, but what they actually do is writing a small "interpreter" which interprets data structures containing the actual logic. Thus creating something like a domain specific language. C with its data and function pointers makes this very simple. This is the true strength of C.

Apparently that is not what people have been doing here, they literally programmed complicated things directly in C, making both their life unnecessarily hard and risking serious problems if they mess it up.

2
0