Posts by Christian Berger

Re: They cracked this in the 70's

I think they are nearly a thousand pounds, aren't they.

However to be honest the musical numbers composed by it never quite got out of the UK. Even "Little Mouse" is barely known in Germany, for example.

It's most likely a combination of the following...

Gaining access to unrelated systems in order to know about the social graph of the target.

You then use that information to pose as a trusted partner, e.g. the vendor of the software, and send "updates" or office documents with which you can infiltrate the system.

This can be done via e-mail or, depending on the typical way software updates are distributed, postal mail. If your vendor sends you software updates via mail, sending a fake update which looks the same as a real one won't raise any suspicion and it will be installed.

BTW probably _all_ secret services do that kind of thing.

Specialist applications like broadcast studios...

... there you typically have a rack nearby where all the noisy stuff is. From there you use long cables to your desk. Plus there are situations where "switching" your desktop to another place can be usefull. For example radio newsreaders can prepare their texts on their desktop and when they join the main host in the studio they can just switch their desktop in there to read it. In short there are many special applications where that can be useful.

Also considering that actual workstations are rather expensive devices, you need to look into the future. Having something you can buy a rackmount kit for, can give you new options for secondary use.

Re: It's funny to see that now...

Well in those countries and those governments they simply roll out their own CA. It's a huge security nightmare, of course, but that's a completely different problem.

Re: Bad idea

In a way it's even worse than that. If you had chemists work out which reactions would occur, you are left with a set of rules bringing you more understanding into those kinds of reactions.

If you just train an AI to predict something, you gain no understanding at all. You just get a black-box which may or may not predict the outcome correctly without actually giving you reasons for it.

Repeaters are avoided

Repeating the signal means demodulating, regenerating and remodulating it. This means that you'll be forced to know the modulation scheme in advance. So if some time in the next 10-20 years a new technology comes along, you cannot use it. The advantage of repeating is obviously that you don't amplify the noise.

What's done instead is to use optical amplifiers. There are several types. One obvious one is a laser. Unlike normal lasers which have mirrors on both ends to have an ever growing avalance of photons, you don't have mirrors there, but send in your signal on one side, and it comes out amplified on the other side.

Raman amplifiers use non-linear properties of the fibre and use one strong laser to turn those properties into amplification.

Re: Well better that than what happened to Kodak

Well the change is obviously underway. There used to be times when we stored 20 Megabytes on harddisks. The point from which on we use disks has gradually changed from kilobytes to Tterabytes. Today for sizes below a terabyte flash is cheaper than harddisks. As flash gets cheaper and harddisk sizes and prices start to stall, that border will move more and more upwards.

Re: Trivial = Expensive

Well the "16 year old hacker" is not the problem here, those understand ethics and therefore won't do any intentional harm.

BTW using drones for this makes the effort explode. Not only would you need n-times as many transmitters, you'd also need drones which would have to be fairly far away from the receiver, moving at potentially impossible speeds, transmitting at powers which would get noticed.

Re: 2FA?

Well if you allow "something you know" and "something you are", your standard username/password combination would perfectly, as your username is something you are, and the password is something you know.

Same goes for biometry where you have a public element like your fingerprints (which you leave everywhere) or features like the look of your iris (which everyone can see) and combine that with something you know.

On about the same level are cellular phones as "second factor". While hypothetically you could build a moderately secure one... if you wrote secure GSM/UMTS/LTE stacks for them, but no one has bothered to do that so far. Adding insult to injury there are now application processors which run highly complex OSes of their own and nudge you into running only code from manufacturer controlled malware ridden "Appstores".

In any case, we are talking about a web service. Using actual 2FA (like with public keys stored on your computer or a smart card) is like putting a high security padlock on a paper bag.

Re: Seriously, who buys Cisco telephony equipment?

Well but it's terribly buggy, and there are cheaper, more competently made packages like "Starface" around for which you can also get decent support.

Yeah, particulary since there is Javascript, WebAssembly and the likes

People just tend to run any code when you tell them that there's a sandbox involved.

Few people grasp the concept that sandboxes won't safe you from mining malware.

I'd say that on the second purchase (after refurbishment) the majority of Thinkpads will run something other than Windows.

Re: Ummm

"But it's simple and easy to have a POTS phone plugged directly into the line"

Yes, but that only works with old analogue telephones. And for that you'd need to replace the line cards at the switch to downgrade you from ISDN to that. Plus you'd need to buy a new phone.

That is all provided you can still get analogue linecards, which seems unlikely as ISDN carrier equipment is no longer manufactured and the equipment still in operation is working on salvaged parts from closed down ISDN exchanges and doing that with an ever increasing failure rate.

It's simply not feasible to convert an area back to dialphones in case of an emergency.

There is no evidence...

... that's the whole point. All AV products have a theoretical benefit at best, far outweight by the many actual practical problems with them.

It's simply not wise politcially to demand or present evidence, because then you'd be forced to act logically and would therefore have to publicly declare your goals.

Well it depends on what they are doing

Seriously using some full fledged webserver when you just want to return a static page, isn't the best idea.

However you should always know what you are doing. If you have unbound writes in your code, chances are that your CGI-script would have simmilar problems even if you used a pre-made webserver.

Well it's not that easy

Both Samsung and Apple depend on instruction set architectures. So whatever they do they need to be able to run ARM-code.

So they can't make it ARM compatible as ARM would sue, and they couldn't make an emulator, since ARM would sue.

The hope is that Risc-V might become important enough that Application developers see it as important enough to compile their software for it. Yes, Android can use Java, but none, but the most trivial apps can work without additional native blobs.

The netlist is not where you would hide your backdoor. That would be both hard and dangerous to do. The far better place is to put it into any kind of "security" subsystem, as that makes it far easier to get it working and won't ruin your chip if it doesn't work. Simply put, if you already have a seperate CPU on the die, it's far simpler to make that one send out memory regions than to somehow modify the main CPU in a way that it only misbehaves in certain situations while still passing all the tests.

Re: The Windows GUI ...

You know it used to be developed by people who knew what they were doing. Adding to that were empiric experiments to find out how well the users could use it.

Also back then they had decent font rendering. Unlike todays mushy vector fonts with "anti aliasing", they had vector fonts with embedded bitmaps for common sizes. So in the likely case you used it in a standard size, you got crisp black on white bitmap characters, lovingly hand crafted to look good.

Re: 50MB over what time ?

Well there's mosh which runs over ssh... and for some reasons at least some pre-paid carriers even allowed you to use that if you had no money on your account.

In any case, what's nice about the system used in German ICE trains is that you get a local copy of OpenStreetmap with an indication where your train is.

My current main Laptop is 10+ years old

Despite of heavy abuse (including running it in a dusty environment for a while) it still shows little signs of getting old.

The point simply is, if you are a large business you'll notice if 0.01% or 10% of the laptops you bought fail within the first years. Since a failed laptop can be hugely expensive, you will stop buying from the 10% companies.

And 0.01% over 2 years simply more or less translate to a high percentage of computers still working after 10 years.

This is not like the consumer business where there is no correlation between broken devices and returns. People will return perfectly working devices, and people will use severely broken devices thinking it's supposed to be that way.

Re: It's a general problem of "application based" computing

"there's no way to fully encapsulate everything you want something to do in a limited interface"

Actually there is, you can do everything via a terminal, either text based or graphical.

Yeah, particularly in a RAID situation where you'll end up with several independent blocks with connected cleartext. Essentially you could, for example, have the same cleartext encrypted with 2 ciphertexts in a very predictable manner. This is one of the things that could eventually become exploitable.