Posts by Christian Berger 4851 publicly visible posts • joined 9 Mar 2007
Slowly but surely we see the "Linux ecosystem" taken over by the same kind of people who took over the Windows ecosystem. People who haven't matured yet and therefore write code more complex than they can handle.
And this is one of those examples, they believed that they can handle complex file formats by outsourcing the parsing to an already existing parser... and fail in a really bad way.
... particulary since it allows you to make simple web applications much simpler and therefore much more secure, adding the bloat of multiple libraries and frameworks kinda eliminates the effort.
What would make sense would be a "DOM-Terminal" standard. A simple protocoll which turns the browser into a terminal you can send commands to, to modify your document tree.
You cannot trace back the origin of malware or an attack just like you cannot trace back the origin of a text. Of course you can say that a text is written in Chineese so it might come from China, but that's largely bullshit. Everyone can fake that...
...and this is the problem with "Cyberwar", anybody can trivially claim they are X and attack country Y so Y will strike back to X even though X is innocent. You don't need people to learn a foreign language, just compile your code on a Windows version from that country and rent a foreign server at a hosting company in that country and people will only find that.
So whenever you hear "Country X did it", there usually is a very flimsy chain of evidence behind it. It's virtually impossible to actually know where such an attack came from.
What we can do to prevent is is normal IT security. And that's _much_ cheaper than any "Cyberwar".
And actually such augmented reality actually could, in theory, be possible if you extrapolate the technology we currently have, after all there's nothing absolutely impossible. You could, in theory, set up something like that with already existing equipment. It's just that often companies are simply not up to the task of doing it.
What I find more frustrating and noteworthy is that some people choose to believe other, more abstract, impossible things. For example some companies claim they can somehow build mobile devices that can store information "securely" without you entering a secure passphrase. This is obviously bullshit once you think about it. In order to encrypt and decrypt mass data you need to have some sort of a key. Now you either completely derive it from your passphrase (and some data being on the device), or you need to store it somewhere. All the data that's on the device can be read, even if it's on "security chips". All it takes is a moderate budget... which actually may be quite small for mass produced devices. (uncap the chip, add some traces on the FIB and you can brute force the PIN)
"But some security failings can never be effectively policed, like moles."
No, but according to the accounts of people who worked there, they had extremely bad security.
https://www.heise.de/forum/heise-online/News-Kommentare/Massiver-Hacker-Angriff-auf-Thyssenkrupp/ThyssenKrupp-und-das-Maerchen-aus-der-Pressemitteilung/posting-29614397/show/
They didn't update their firewalls, they still used DES for their VPNs, they didn't separate their production LAN from their office LAN, etc...
"Is it really a security failing if it's one beyond anyone's ability to secure?"
You could as well ask if someone who hasn't learned to drive is responsible for the accidents they made. If you are unable to do something, maybe you should not do it... particularly not at such a company.
"Just like is it really anyone's fault if someone gets killed by a bolt out of the blue?"
No, but this is more like having your car unlocked and parked at a busy parking lot... and then complaining about it being stolen.
Seriously it has all the features you need while consuming a low amount of system resources. There is no privacy concerns and it's even free.
I mean with Vista everybody knew that operating systems from Microsoft would go downhill. Even Windows XP had some serious disadvantages over Windows 2000.
One can also give this a totally different spin. Microsoft is charging money and system resources again for something they already delivered without providing any new functionality. They try to enforce them by refusing to fix any mistakes they made during the production.
The Cray I was built by about a dozen or so. So was the 6502. Considering you could go quite far by building something like a C-64, but with more modern production techniques, there would be a very plausible and efficient solution.
Just embrace simplicity and don't worry about efficiency at first. Efficiency is something that should only be considered early in the process if it gives you several magnitudes in speed. Split up your problems into domains, decide which domains need high security, run those on your own hardware. Find out the ones which do not and which require high speed (i.e. graphics output) and run those on isolated commodity hardware.
"you *cannot* deploy an arbitrary Windows image on an arbitrary x86 desktop laptop server etc and expect the OS to work right."
Well that's actually a problem with recent (since 2000) versions of Windows. With other operating systems or even Windows PE, the version the installer runs on, this is no problem at all.
They buy Intel because there's a platform around it. It doesn't matter if you have an x86 processor from Intel or AMD or Cyrix, and it doesn't matter if you have a PC from Dell, Supermicro or IBM. You can use the same OS image everywhere.
Unless there is a decent stable common hardware platform, ARM will not get into the PC or server business. Nobody there can tollerate being limited in what OS you can use.
If it was, they'd have an open standard allowing for 3rd party servers, right from the start. Their insistance on only allowing it to work with their own closed source BES was the reason why it ultimately failed.
Add to that the promis of security which was regularly broken, and you have a recepie for doom.
This is not a technical review, it's a fashion review. It doesn't care about technical things like batteries or the stylus, it cases about things like how it looks.
Since most mobile phones are virtually identical from a technical standpoint, that's all there is to compare.
that Deutsche Telekom now poses as a victim, even though it's their fault.
Like many security problems their problem comes from risky behaviour, in this case a cheap, badly implemented router they didn't even bother to test properly.
A simple ACL on the box, which would prevent it from talking to anybody else than Deutsche Telekom, would have completely eliminated this problem at virtually no cost. After all they already get their custom firmware and custom cases from the vendors.
Many companies resell their DSL and add their own router which they'd like to manage from outside the Telekom network. So you may have an IP telephony company renting you a CPE which turnes the DSL they buy from Deutsche Telekom to 4 ISDN T0 lines. That equipment needs to be remotely managed from outside the Telekom network.
Obviously the smart thing would be for vendors and deployers to restrict the IP-Ranges the connection requests are accepted from. Essentially a little ACL in the router would do... unfortunately despite that being a really powerful and easy to implement feature, hardware vendors tend to not use it.
BTW, Deutsche Telekom could have just used a rather decently secure alternative from a German vendor which wouldn't have been much more expensive. They chose the cheaper route and they chose to not test it properly.
I mean it's just extremely risky to put a system that can easily run code from any e-mail and doesn't even show "file extensions" by default into the hands of untrained workers.
If they would have just been a bit more cautious and, for example, provided their users with simpler systems where they cannot easily make such fatal errors. If everything fails, give them terminals for the business end of things.
"Exactly how far they can push it before they have to replace it with fibre is anyone's guess."
Actually not, Information theory provides us with ways to precisely determine the maximum rate of information over a channel given the SNR and the bandwidth. Depending on what values you assume (how much the old 1980s cables have rotten away) you get somewhere in the double digit Gigabit range, a tiny fraction of what you can get today via fiberoptic cables.
I mean NB-IOT would be ideally suited for e-mail as the communications standard between the provider and the end user. Since we are often talking about _really_ low bitrates (<1000bps), transmitting a datagram takes quite some time anyhow.
E-Mail is fast, typically an e-mail will arive withing the second. However it's also resillient against errors. If your mailserver is down for a couple of hours you will not miss a single e-mail.
A quantum leap is the smallest change a system can do. A quantum leap would be to take a conventional server... and remove a screw.
What's needed here is a revolution. The kind of revolution that used to be common in the 1970s and 1980s, where the "next" machine commonly was 2-10 times faser than the previous one.
Well actually, back when that Windows software was written 640x480 was an OK resolution with 1024x768 being about the maximum you can get.
If Microsoft was to either find a way to rearrange GUIs so they fit on those tiny screens, or bring out a mobile device with keyboard and pen, those software packages would be useful again.
Also there's a lot of software packages around for Win32 which are still maintained. They could still adapt the GUI without changing the rest of the system. This would give those applications a bridge.
Furthermore there's also quite some Win32 stuff, like VPN clients, which do not really need a GUI.
I mean if you look at Microsoft, the only thing that's consistently worked for the last 20 years was the win32-API on x86. If you wrote a program only using that in 1996, it's very likely it'll still work perfectly fine today. If you were smart, it won't even need any kind of installation or framework.
Now Microsoft is finally trying to do what they can do best, running win32 code.
To succeed you need to find something you can do well. For the iPhone this was shiny design, for Android this was the (broken) promise of having an open system. For Microsoft this always was running legacy code from the previous decades.
And it's always been that way, even if you look at the famous Windows 386 commercial, you'll notice that they are mostly running DOS software in their shiny new Windows 386.
https://www.youtube.com/watch?v=noEHHB6rnMI
Even well after the year 2000, people often ran DOS software for some applications.
"How many people need to run "legacy" apps? Most people use a browser, office, skype..... and not much more."
At home, maybe, but in companies legacy code is essentially. For example we use WS_FTP95 at my current company as the only allowed FTP-client. At a company I was before (from 2008) we were using Protel98, a electronic CAD package from 1998 with no plans to ever upgrade.
There's plenty of software run in company that will never be updated because it runs and because Win32 used to be more or less stable. In fact there are even many software packages like Praxident which where maintained over 2 decades, but assimilated all those old technologies which seemed hip at the time. Those packages use everything from OCX components over OLE Automation and direct access to printers, up to .net.
The Business market is still important for Microsoft. Office is one of their most profitable product, and companies are likely to purchase profitable service contracts.
The consumer market is long lost to Android anyhow.
Finally a reason to run Windows for ARM over Android. Now they only need to find a way to automatically adapt desktops UIs to make them usable on small touchscreen devices. Alternatively they could introduce a phone with stylus and keyboard.
The point is that they cannot out-iPhone the iPhone. If they want to succeed, they need to build on something only they can provide... in the case of Microsoft that's running legacy Win32 and Win16 code.
That must be from back when they made phone line modems. We once had a couple ZyXELs in our lab. One couldn't work with PPPoE usernames containing a #. With another firmware it would randomly forget settings. Another ZyXEL was unable to adapt to one simple quirk in the SIP of a certain provider.
If all companies are selling exactly the same product, you get something called "competition", which means that the company with the lowest overall price will win. The obvious solution against that is to diversify and have products that are different from the rest. However with that, there is no guarantee that those will sell well, you have to take a risk which is something modern companies cannot do.
As explained so many times, if you have a budget (i.e. $100k) you can get around any of those mobile phone "security" measures.
Here is a public talk about the capabilities of the Dutch agencies from 2013. You will notice that this includes a FIB with which you can easily rewire any kind of security chip internally to keep it from storing a "usage" counter. Or alternatively to read out the encrypted key and the algorithm, and just do a bruteforce attack. (which is trivial if you have a numeric password)
https://www.youtube.com/watch?v=AVGlr5fleQA
Here's a talk giving an overview on how that can be done:
https://media.ccc.de/v/30C3_-_5417_-_en_-_saal_6_-_201312281245_-_extracting_keys_from_fpgas_otp_tokens_and_door_locks_-_david
Some of the most secure crypto devices on a budget are Pay-TV cards, and if you watch the Panorama documentary, you will find that different companies have been able to circumvent those measures several times in the past. The documentary is called "Murdoch's TV Pirates"
Logically to encrypt data stored on a device you need a secret. That secret has to be entered at least every time you boot, so it either has to be stored on the device, or derived from some stored information and some passcode. On a device without a keyboard, such a passcode cannot be particularly long and usually only numeric.
So if the industry actually wanted to provide a slightly more secure device, they'd offer it in 2 parts. One is the mobile part, which you carry around with you, but is essentially a terminal, the other one would be a device you can have at a physically safe space where you store all the data on and execute the actual code. Authentication would work via public keys (think of ssh) and the server would automatically remove the authorized key for the device if something is fishy, or after some time.
That way, if your mobile device gets stolen, you can simply remove that key, and the new user won't be able to get any of that data, no matter what they do.
I personally think that the "but we need to catch criminals" thing is rather stupid. Police did catch criminals before they were carrying around lists of contacts with them. In fact, people used to remember phone numbers and addresses inside of their head.
Programming interfaces on DOS/Windows have always been one of the biggest problems. That's why it's not uncommon for Windows software to control each other by emulating keypresses... either directly by sending keyboard events, or by using the slightly cleaner OLE automation.
And yes, there's probably lots of software using batch files, as such scripts are an efficient way of dealing with files (i.e. renaming them) as well as handling configuration (just edit the script). Since most of the Windows software in use today comes from the 1990s, often with the company producing it being out of business for a decade, there is no chance of those getting rewritten for PowerShell.
It's just that the ecosystem around Windows doesn't work in a way that allows chance. Software is written by companies, who do not even release the source code. Those companies can disappear or loose their interest.Often they had to work around bugs, as for quite some years, Microsoft didn't release updates. Now if Microsoft fixes those bugs, they still need to maintain bug to bug compatibility with those old programs. This wouldn't be much of a problem, if interfaces were simple. A couple of syscalls could easily be implemented differently, that's how the unixoid operating systems manage to achieve binary compatibility. You can run Linux binaries on your *BSD computer to quite some extend. Microsoft's interfaces, however, are hugely complex. Instead of having simple overarching concepts like "character devices", every feature needs its own set of function calls, functions calls which need to expose a stable API. It's a nightmare to change anything there without breaking lots of legacy software.
if I was getting the data from them, and not some shady business trying to build some pseudo business model on them. I can also understand the network operator to get real time anonymised data so they can control the network, but personalised data must only be sent in very coarse aggregation. (i.e. total sum of kWh or credits per month/year)
There is no reason why you should run an DHCP client and believing its claim for a default gateway for network interfaces suddenly appearing.
I mean I can see a point for USB devices posing as a NIC in order to provide some user interface, but for gods sake, ask the user before you accept a new default gateway, particularly if you already have one. (ask if this new device provides Internet or something) Or better yet, don't automatically run DHCP clients on interfaces that are not configured.
They are root-aware as some dimwits believe that the security model of Android is worth more than the storage its documentation takes.
Since malware typically is shipped by the manufacturer and you can avoid installing malware via the crap-store, rooting is a sensible way to have a minimum level of security.
Ohh I should mention that the quality of Siemens software is also not particularly good. Their spiel is to use every obscure and currently fashionable feature of Windows, from VBX components over ActiveX to .net, and to use that in the most incompetent way. It's software that does trivial things, yet legs behind even the most simplest user input.
And I have to say Nucleus (the OS developed by Mentor) is _really_ bad. You can see that somewhere in the 1990s it was made by some decently clever people, then it descended into crud. Code we paid lots of money for was not even superficially tested and apparently written by idiots. You could see the bugs in the code by simply looking at it.
When I did some inquiries on why this was chosen over, let's say "FreeRTOS" the reply was that the decision to use Nucleus was made first, then some documents were written to claim that it's more suitable.
(or some other play on the idea of a graphic terminal)
VNC only transmits the data you actually display, it's relatively simple to implement (compared to a browser) and it has much less space for security problems as it doesn't rely on server based code to run on the device.
Also VNC now uses by far less bandwidth than web apps. The only problem is latency... but then if you have a typical web app that loads data from 2 dozends of other servers, you're screwed on a high latency link anyhow.
Eventually your developers won't be able to handle it any more. This is a bit like the "Peter-Principle" where people get promoted until they are utterly incompetent at their position... causing all the positions to be filled by people just barely competent enough to not be fired.
With software, developers like to make things more and more complex, up to a point where they are barely able to handle it themselves. Android is a prime example, its core roughly has the user exposed functionality of Windows 3.1, but achieves this with several orders of magnitude more code.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
