128 posts • joined Tuesday 18th January 2011 17:17 GMT
@Bob 18: Except
..that you do not know what you are talking about. NaCl with or without LLVM bytecode does not mandate inefficient storage strategies. Java and .Net do so.
NaCl allows for efficient strategies like stack allocation, value arrays, aggregated value structures and refcounting. Java and the like mandate "everything on the heap, please". And that makes it dog-slow. Systematically dog-slow. Even in 20 years time with extraterrestrial VMs written by the uncle of E.T.
It Could Be Argued That Garbage Collection
..is Not a Good Thing at all. See this:
C++ is acutally a very sophisticated language and offers many more options to manage memory than GC-langauges do. Just as an example, if I temporarily need 100 bytes of storage, I can allocate it in 100ns, use it and release in 100ns. The Cache line will be reused for the next allocation.
One More Creepy Fact
Google Mail is setting a Flash Cookie, despite the fact that they do not use Flash for anything useful.
It is clear that the purpose of this is to track people and their equipment.
@azimutha: Please Read Before You Write
Native Client technology will make sure the damage of the Buffer overflow is limited to the privileges of the applet, NOT the privileges of the user running the applet. Native Client comes with a layer of code which will check operating system call requests by the applet and will only allow access to a limited set of resources - similar to SecurityManagers of Java.
Like the Sandbox of Chrome, Native Client is an innovative and useful technology and it would be an enlightened approach to first read the papers they published, before throwing around mud. But who said "IT professionals" are enlightened persons ?
As a last remark, I don't work for Google, nor do I condone excessive data collection by any private or public body. Native Client is Free Software, it is very interesting and can be used without handing your data over to a third party. That's why it is good.
Google's Becoming A NastyCorp
The (probably) inevitable happened: Like any other greedy corporation, they start that "public relations" thing, which is just a sophisticated form of lying. Yeah, maybe "white lies" (whatever the definition of that is), but still lies.
It is totally obvious that Google Search is not an "objective algorithm". Rather, the algorithm contains a ton of heuristics which would hardly qualify for "objective", if that is possible at all. Secondly, some sites such as wikipedia.org and ezines.com have been artificially bumped up in the Google ranking.
Which is all OK with me if they would not claim this had not happened.
I have found the distributed YaCy search engine to be quite useful:
Let me tell you this factoid with YaCy: It is developed by Karlsruhe University and there are persistent rumours Karlsruhe is a major R&D site for German Spookery. Whether YaCy has anything to do with that, I do not know. I do know though, that all wealthy governments try to spy on as many people as possible. Google certainly is a very useful source of intelligence, too.
Then there is Yandex.com from Russia (who have their fair share of spooks). But putting eggs in different baskets might be a wise strategy.
@AC: State Criminals
This term refers to people who can break the law without sanction, because they are members of an "intelligence organization".
US cables claim Chinese Intel did exactly that with Windows source to create spearphishing torjans. US Intel can abduct and torture people. These people I am referring to. By the way, why AC ? Why can't M$ share all except their copyprotection code with everybody ?
@sabroni: Nope, But Source Is Open And We Have AppArmor
With Windows, only State Criminals can inspect source code, which they do. With Linux, everybody can do and it means there are way fewer exploits in existence.
Also, there are Linux Security Modules, which can isolate stinking piles of application code. You only need to trust into AppArmor, not random application programs. This is a systematic approach of securely running untrusted code. The pros at NSA have SE Linux, which is similar.
No Text Books ??
Are you writing about Zimbabwe ?
A) your MP
B) your education ministry
I am sure this will help.
There are quite a few highly successfuly German corporations who have CEOs with engineering degrees. Some of them (such as Mr Piech or Mr Zetsche) can actually design and build something else than only an Excel sheet.
Mr Piech built VW (and all its european elements) into a serious competitor to Toyota, which is #1 in automotive.
Warren East of ARM is educated as an engineer, as are many of his colleagues:
Angela Merkel has a Physics PhD.
Google: Two engineers/computer scientists at the top.
Intel: Founded by engineers, still run by engineers.
It is true that many engineers have trouble dealing with "social" issues in the widest sense. But it is also true that other professions have trouble dealing with "reality", in the widest sense. See 2008/9 financial crisis.
Engineers need to mingle with people instead of isolating themselves. When they do, they will quickly realize there are so many opportunities to improve the state of affairs and what the weaknesses of other professions are. Also, experience and learn the nasty tricks. Experience the "heat in the kitchen".
If you are too lazy or too cowardly for that, please do not complain.
Some pictures of engineers:
England Probably Discovered This
Funnily there is no English Wiki page on it. We had to learn and understand ẃhat happens when temperature and carbon content is changed in steel. Didn't english engineers discover all of that ? Then, there was "Härteprüfung nach Vickers" or "Härteprüfung nach Rockwell" (testing hardness).
German industry needs qualified enginers to sustain the development and production of high-quality metal-based machinery - from cars to the A380. There are lots of jobs for proper engineers and technicians here. Our wealth ultimately depends on ingeniuity, as our only natural resources are wood, grain and salt. German Coal is not competitve by an order of magnitude.
I assume Magaret T ("there is no such thing as society") bears a lot of responsibility for all that.
Gymnasium in Germany
Here in Germany "soft skills" have been all the rage ten years ago. It turns out that the hard skills are what matter. Anybody who is not a complete idiot can acquire the soft ones "on the job".
This is a (probably not completely accurate) curriculum for a Technisches Gymnasium (up to class 13 (nominally 19 years-aged pupils at completion (Abitur)):
If you want to study for a engineering job, just must be able to do simple engineering jobs like designing a transistor audio amplifier *before* going to Uni. You must be able to calculate a Standard Deviation of 1 million numbers with a Delphi program. You must know how to harden a steel instrument (ab)using you mothers kitchen, while she is at the barber shop.
You have to know how to make explosive cotton.
Those who don't learn this for whatever reason must drop out. No excuses, no "high potential kid" rhethoric of parents accepted. Lawsuits are to be addressed to the state, not a teacher. Problem fixed. Hard skills matter. Talking is done in Germanistic or Anglistic studies, even though I have to say my English teachers were quite good.
You Should View It In a Positive Way
..expect quite a few open-source security apps from persian programmers in a short timeframe.
Mr Vlad already decreed Linux. NSA doing SE Linux. FRA, SA and LSE going Linux. Tokio SE already Linux. German diplomatic crypto Linux-based. USN Cyber Defence Ops (Identity mgmt) Linux-based. German flight control Linux-based. Core DISA system Linux-based.
So many bad guys all hardening Linux - there must be a "meaningful" outcome :-)
..terrarizt scares in that area, maybe ??
Amateur Radio To The Rescue !
This should be a reason for network ops people to have their boss give them time&money for an amateur radio license. Plus a proper HF transmitter (with at least 1kW of power).
Looking at IBM offices, it seems some companies did this for decades :-)
@John 62: JP8 is Champagne For the Euroleopard
b/c it is basically a "better" Diesel. I have no insider knowledge on which fuels it can consume, but I don't think it infeasible to burn basically every kind of fat, grease or oil, given sufficient R&D and money spent towards that. BMW even has a Diesel burning hydrogen.
See this on the M1Ax:
Does not exactly sound good to me.
The gobbermints have their fingers in this stinking jarpot:
I could give you some more examples of gobbermints around the globe - from Germany to China.
@Destroy All Monsters: Never give up
..don't cha know ? One must fight to succeed.
Seriously, I am not only posting about my programming language, but also about lots of other stuff on my site. And I do indeed think it helps other people to share IT security-related knowledge as opposed to the latest rant about the incompentence of company X.
Finland will Win
..because hundreds of engineers will be forced to quit that bureaucracy called Nokia.
They could bring Qt to Android, as Android is Open Source. Maybe they will brind L4 to HTC hardware.
In a few years, Finland will be much more diverse than they are at the moment. And probably wiser.
Boycott Microsoft And Apple
That's what we can do.
Go to an Apple shop and tell the manager you would have bought a Mac or an iPhone if Mr Steve didn't act like a child.
If the MS sales rep shows up in your company, tell him to convey the same message to Mr Monkey In Chief.
Introducing the A1 Toybolt
..just buy yourself a large remote-controlled modelplane, add a G3, camera and video transmitter. That gives you beyond-horizon capability. The other side can't reciprocate, because we are better at jamming and could even bring in 20mm Flak.
You've got one in IWM:
Nokia Has a Passion For...Money
Others are passionate about their product. Just look at their price figures - anything non-retarded is more expensive than a full Taiwanese laptop with UMTS.
They have great, economic hardware, but don't give developers access to their holy C API.
Feel the creative destruction and succeed in a new company, Nokians. Companies like Trolltech, which you swallowed. Five proper engineers can create something which threatens the iPhone, but I don't think this army of 60000 can ever coordinate their action. Because they have approximately 59995 people too much on board, who will sabotage anything useful.
Fail properly and the R.I.P.
Security Business To Take Off
A German party (which I would classify neo-Nazi, yet different from this party) has also been hacked:
IT professionals must now re-think the way we develop,operate and maintain information systems. What was paranioa in the past must be part of any solid IT concept in the future. That security does not come for free is not a valid argument - the IT business as a whole will suffer in case a the perception "computers in general are insecure" will become widespread.
Here is a list of technologies for our toolbox:
+ Safe Programming Languages such as Cyclone or Modula-3
+ Virtual Machines as a security concept
+ Cryptologic Support to encrypt and verify integrity
+ Mathematical Proofs of Correctness for systems like AppArmor or SE Linux
+ Secure Operating Systems such as the L4 microkernel, which has been proven to be correct.
I have a reputation for blasting the wrongdoings of Americans here, but I have to admit AppArmor and SE Linux are at least partially American technology. Please keep doing the good work !
I was referring to the Tiger tanks, not to the early ones, which were clearly inferior to the T34. I think you validated my statement - technology does not win wars, but broad diplomatic support will do.
Germany tried a Strategy of Technology concept, but was simply overwhelmed by relentless pounding of the Red Army and the USAAF (and some RAF). The whole premise of 200 million people fighting against the rest of the world was the mistake, not the technicalities whether to build ballistic missiles or bombers.
The premise that this grenade launcher will subdue the Afghans is equally wrong. Only if we are ready to jail and reeducate something like 300 million people (Afpak, Somalia, Yemen, Saudi), there is a prospect of "eliminating terror". Better dust off Stalin's techniques, if you want to go that route.
So, by logical reasoning, Withdraw and Isolate is the only feasible option. A plain Uzi and two trained american eyes in a train in Alpharetta will be infinitely more effective than this grenade launcher in a cold valley in Crackistan.
Your Trusted Heckler&Koch Salesman Suggests
It certainly has the same range as the opposing machine guns, as the ammo is the same. Built for decades and surely there is lots still in stock somewhere in German or Turkish bunkers, as it was the standard infantery gun for the Bundeswehr for a very long time.
Still I don't think that technology will fix the problem. It didn't fix it for Adolf the Mad, despite the fact he had some of the best tanks, jet engines and ballistic missiles first.
@So what is safe moving forward
Use anything non-Oracle and non-MS. Eg.
Judging From My Experience With Corporate Germany
...this report could be fully true, except for the "McAfee solutions for the problem" part.
Instead of having a proper (ie speedy, pervasive) patch policy in place, the corpos have two-factor-authentication, x-ray machines to check the bag you bring in and restrictive physical access policies.
Worker's PCs have age-old firefoxes, age-old Flash and age-old JavaWebstart versions installed. Exfiltration by Google Mail's SSL is certainly possible. Spearphishing would be the easiest thing one can imagine.
The management people don't want to be bothered with the problem, they do not want to develop social and technological solutions which would reconcile security with business efficiency. All they are willing to do is to shell out money for some Magical Device, which would fend off the threat at the firewall. Because this does not require interacting with these smelly unshaved computer folks.
A sophisticated AppArmor- or Sandboxie-based solution could thwart this attack. But that would require more than writing a cheque. It would require these "skilled executives" to use their brain cells. Horrible !
After reviewing your comments, please let me express my heartfelt hostility to you and your colleagues in that office complex in Langley, Virgina. We don't like you at all.
Please just pull the pin and wait.
This Man Elop
..clearly does not have an opinion of his own.
Steve Jobs is a certified moron, but a moron who is dedicated to his products, who cares about every little detail.
Elop is just doing idle talk; he is not able to give firm order to the troops. Instead he is weighing options in public.
Let me suggest a very simple strategy:
1.) Define an extremely simple hardware standard: ARM+ audio + framebuffer video + Internet communications capability + telephone capability.
2.) Define a simplistic Linux or BSD running on 1.)
3.) Based on 1.) and 2.) create C++-based products with polished user experience. Focus on the product, not on grand strategies. Each product line has a single responsible manager, not this matrix-crap-org.
4.) Share 1.) and 2.) with world+dog, as IBM did with the PC.
5.) For spaghettimonster's sake, stop all that beancounting to "determine user satisfaction". Instead, get a fscking Iphone, and Android and a Nokiaphone and let real users play with it. Talk to them. Watch them. Forget all that beancounting. A product line manager has to talk to his users, not to analyze beancounting ("statistics").
The Slow, Ugly Hunk Named Java
See for yourself:
ATS could quite well replace Java, as it is also a safe programming language.
The Hoover Dam...
is probably part of a bigger grid where power generation/consumption must be managed. This is probably done by a centralized management facility and interconnected via an encrypted VPN.
I have yet to see reports of VPNs being hacked. All I have seen are rather amateurish security being exploited (USB ports open, CD Burners exploited, foreign PDFs opened on SCI computers and similar stuff).
But maybe the "please generate X Megawatt power" signal could be displayed in a "networked" computer and then being manually "transmitted" to the Hoover Dam control system. That would surely be maximum security.
Those who are slow in their brainworks, please use the above text and replace "hoover dam" by <any critical network facility>. Including nuclear power stations and water processing facilities.
Education, Education, Education
And not just the M.B.A. blah-blah combined with some Excel beancounting is going to fix the problem.
Engineers are nowadays looked down upon, while the law types are highly respected. A lawyer will not defend your blueprints from being stolen, a capable security engineer does stand a chance. If you Mista MBA, would care to listen.
- Lawyer CEO: Replaced by Codetalker CEO. NOT FIXED.
- Customer Perception: Nokia perceives the Telecom Operators as their customers and gives $hit about real people using their contraptions. I once offered them a SMS-killer technology and all they said is that it would offend the network operators. The technical merits were of zero concern. Basically, they tell skilled developers w/o a billion dollars to go away and leave them alone with their friends Vodafone and Deutsche Telekom.
- Software Updates: PTTNDFA model. As in Pay-Through-the-Nose-Does-Not-Fix-Anything.
-Crap API: J2ME is crap and will be crap. For example, the 6300 has very nice "internal" applications for the phone book, caller list, SMS editing etc. Unfortunately, Nokia does not expose the API to create these nice and responsive applications to a smelly, unshaved certified computer-science hacker like me. I have to accept the stnkin J2ME and shove off, anyway.
Actually, it would only be fair for Nokia to go belly-up; considering the fact that their only passion is a Passion For Money.
Legal Acts Of War (According To Your Definiton)
Germany attacking Poland
Germany attacking Belgium
Germany attacking Russia
Germany attacking France
Germany attacking Czecheslovakia
Germany attacking Norway
Germany attacking <some more countries>
Don't Interfere In Internal Matters Of Other Countries
..the Chinese talking line. Excellent.
@Tom 13: Who Is Feeding You ??
Siemens Systems are in no way "compromised". Someone wrote a virus to attack Siemens SCADA running on Windows NT. They used several weaknesses in NT and Siemens software.
These systems should have been tightly controlled by Iranian security in the first place and it would have never mattered that they are not totally secure. That's standard practice in the west for at least 20 years now.
I expect the Hoover dam control systems to be behind 1 BSD firewall, 1 SE Linux firewall, 1 Cisco firewall and all secured with SSL/SSH and custom certificates. The control system does not run Facebook, even if the operators are bored the whole day.
In case of emergency, someone pulls those two DSL lines which connect to the outside. DONE.
You put it very well. Assassinating Hitler was technically also High Treason, yet I do think the people who tried deserve respect.
The officers of the United States Air Force Failed in their duties when they obeyed Nixon's orders to perform "dummy" attacks with fully armed B52 fleets on Russia. They should have comitted at least a limited form of treason by applying physical violence and/or medication on Nixon.
I would love to hear what Langley and AFSS/Inscom have to say about this. All I can hear from them is deafening silence.
Which means America is a grave threat, then and now.
...somebody has to be the very real "bond of blood", don't cha know ?
Britain's getting invaluable intelligence from UKUSA, and the gawrnment won't risk this great "special relationship" for you insignificant lowling. Somebody has to pay the ultimate price, and we decided IT'S YOU !
Civilized Prime Minister
Also Mandate Ownership of Kilowatt-class HF Radios
..in case you need to defend your right to communicate. And jam the air force radios in case they abuse their RC135s and Guardrails to geolocate "homegrown communication terrorists spreading terrorist messages".