* Posts by Christian Berger

4558 posts • joined 9 Mar 2007

How's that encryption coming, buddy? DNS requests routinely spied on, boffins claim

Christian Berger
Silver badge

Re: Well to stay real for a bit

"However, if you use their DNS servers (and most people do), they can track where you have been on the Internet."

Well but they can see the destination address of the packets going to their routers. And obviously those packets have to pass through them as that's their business model. I hand them over IP-packets for them to send to the Internet and get packets from the Internet to me back.

1
1
Christian Berger
Silver badge

Well to stay real for a bit

Your DNS belongs to your ISP, they can just as well sniff all your traffic.

The only danger would be for users for remote DNS resolvers like 1.1.1.1, 4.4.4.4 or 8.8.8.8 or that Cloudflare DNS over JSON over HTTP over TLS thingy. Those are likely to be logged by both the provider itself or by third parties.

Tampering with DNS works for censorship, however bending sites to different servers is made hard/impossible by TLS.

In any case nobody will go through the trouble of sniffing DNS. If you want to get data on your users start a web service or some web framework hosted on your servers and use the logs.

1
5

Google shaves half a gig off Android Poundland Edition

Christian Berger
Silver badge

Linux actually is much more than what you'd need on such a device

Essentially Android used a fully featured OS and cut it down PDA style. From a users point of view there is not even a filesystem left, and users are expected to "sync" their devices to cloud services, just like traditional PDAs had to be synced via special software.

All the security mechanisms protect business models, not actual user security, so once we get rid of the malware store (and have something like Linux distributions have) we can get rid of that, essentially allowing users to become root on the devices they paid for.

0
0

Faxploit: Retro hacking of fax machines can spread malware

Christian Berger
Silver badge

What I've just noticed is...

... that this apparently only affects HPs Inkjet Fax machines. In a way that makes sense as laser faxes have little reason to interpret JPEG, as they are not good at printing "continuous tone images" as the standard calls them.

0
0
Christian Berger
Silver badge

Re: Sure, here's how I did it yesterday (not really).

Ohh, but Fax machines interpreting JPEG are actually very rare. Yes, it's in the standard, but so far I've only seen a Samsung one actually doing it.

BTW you can find out if your fax has such features by looking at the capabilities it announces diring the negotiation phase. Most laser fax machines have some "T30-Trace" feature to print out a commented debug trace of your session.

0
0
Christian Berger
Silver badge

In civilized countries...

"It doesn't really make economic sense to have a fax machine physically they days just based on the line rental costs."

In civilized countries, companies have a trunk telephone line anyhow, so a fax machine only uses one port of your PBX which you usually buy on boards containing 8 of them.

Using external FAX-providers is not only bad security wise (an additional company handling your data creates additional possibilities for malevolent actors), but also a huge problem with reliability. You have more components in the way, each one could fail, and once you leave the fax protocol domain, failure will not be reported to the sender. If you have a full "fax-to-fax" connection, your sending fax will only say it's OK when the receiving fax acknowledged its reception. For some faxes that even means that the fax was printed out already.

4
0
Christian Berger
Silver badge

Ways it could work, in theory

Page data could be a vector, however any receiving fax is required to count lines of wrong lengths as "errors" and discard them. The number of lines per page is of course not limited, but faxes have been used for long pages in the past.

What's actually more likely is the negotiation phase, there Fax machines talk HDLC over v.21 with eachother. It could be that the software only allocates a 256 octet space, but the HDLC frame is much larger. Since HDLC frames have no "length" indication you don't know how long they are. I have actually seen one particular modem (ELSA Microlink 56k) crash when it receives bad negotiation in that phase.

1
0

Hackers can cook you alive using 'microwave oven' sat-comms – claim

Christian Berger
Silver badge

“The flaws allow us to ramp up the frequency.”

Uhm.... no.

There is nothing special about the frequency, it's just in a convenient range and has been allocated to microwave ovens. What you could "ramp up" is the power. However there are hardware limits. Satellite uplink transmitters typically have something in the order of 50 Watts. Granted there is a high gain antenna sending it directly to the satellite, but then again, your 700 Watts microwave oven makes sure most of those 700 Watts of output power actually reach your food. An open microwave oven is still moderately safe if you stand a few metres away from it.

Just because you can take over control of a radio device by no means means that you can do anything that dangerous. I mean I could probably take over my WLAN chip, but I'll never get it to output any serious power.

4
1

Google Spectre whizz kicked out of Caesars, blocked from DEF CON over hack 'attack' tweet

Christian Berger
Silver badge

It doesn't seem like they care

"Nowadays the NSA, CIA and defense contractors routinely recruit at the two shows"

I don't think they care about what they do when they allow the NSA, the CIA and defence contractors as _recruiters_. I mean recruiters by itself are already not welcome at European conferences, even less so when they come from organisations that have on multiple times worked against the population. I mean what's next, a Mozilla stand?

4
4

Devon County Council techies: WE KNOW IT WASN'T YOU!

Christian Berger
Silver badge

Actually back in the 1990s I was at a company...

having HP LaserJet 5si or something printers. When doing long print jobs, they would start to loose letters. Your document would start out normally, then certain letters would "drop out" resulting in blank spaces between the leftover letters.

3
0

Encryption doesn't stop him or her or you... from working out what Thing 1 is up to

Christian Berger
Silver badge

Re: There's a war brewing

Well IoT which is dumbed down so that even idiots can use it is usually the problem. There's nothing wrong about having controllable lights on your own LAN or VPN. It's just highly idiotic to have any vendor service involved.

10
4

Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap

Christian Berger
Silver badge

Re: sell it to the black hats and ...

"but does that "fuck the vendor" or "fuck the users"?"

I'm sorry, but for decades the security community warns against vendors of "security in a box" like Kapersky. It's like doctors warn that homeopathy is nothing more than a placebo with a talk.

BTW this is not some sophisticated problem that's hard to exploit. Everyone already sniffing for DNS traffic wouldn't even have noticed there being a VPN anyhow. So they wouldn't have gotten anything from "Blackhacks" (I don't like those terms, it's like putting people into "good" and "evil" categories. Life is not black or white, and many people with good intentions do horrible things, see Mozilla)

5
0

FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux's SegmentSmack

Christian Berger
Silver badge

I've once heard a quote about fragmentation and IP

Someone once said that the existence of fragmentation in IP shows "how much experimentation was going on in the early days of the Internet".

I mean seriously, I know it seems like a straight-forward idea. You have a packet, it's larger than your MTU, you split it into two. However the complexity on the other side is immense if you think about it for more than a few minutes.

2
0

IBM, ATMs – WTF? Big Blue to probe cash machines, IoT, vehicles, etc in new security labs

Christian Berger
Silver badge

Cash machines would be moderately simple to secure

Since they need to be online anyhow in order to function, why not put all the intelligence into a trusted server in a secure location? Just make all sub-devices talk directly via end-to-end encrypted channels with it. Have the sub-devices as simple as possible (i.e. by not using the complex protocol negotiations of TLS, or complex operating systems), connect them via a VPN-Router to the server, and there you go.

Obviously those small subsystems need to have good physical security. However with ATMs you already have an established culture of that, as well as the logistics to transport physical objects to it. That way you could do firmware updates by swapping and refurbishing the hardware modules.

0
0
Christian Berger
Silver badge

Re: Democracy inaction

Why even scan them, Germany shows that you can easily have a hand-count of most elections within 2 hours, including tabulating the preliminary results.

0
0

The age of hard drives is over as Samsung cranks out consumer QLC SSDs

Christian Berger
Silver badge

"In the field of computing that's not bad for a 60's technology!"

Well... not exactly, most technologies from that time 1960s are still in use. Semiconductor DRAM is one example which is still the most common form of RAM in computers which use more than 32 Megabytes of it. In a way even flash memory borrows its core idea from DRAM.

The same goes for operating systems. Unix lives on in the form of the BSDs and Linux. Multics lives on in Windows and Systemd. People still use Maxima on a daily basis.

5
1

Security world to hit Las Vegas for a week of hacking, cracking, fun

Christian Berger
Silver badge

Of course in the UK there's always the EMF camp

aka the Elektromagnetic Field Camp.

Or the ICMP, the Intergalactic Club Mate Party, a hackers camp that has a non-web ticket shop. (it uses ssh)

In general the European conferences seem to be more self reflective. While the DEF CON used to have Facebook sponsor their badge which was a smartphone controlled by Facebook, sponsoring is rare on European conferences, and the bit of sponsoring there is in goods. For example Deutsche Telekom sponsors some bandwidth, but no money, equipment vendors sponsor equipment loans, and so on.

0
1

Dear alt-right morons and other miscreants: Disrupt DEF CON, and the goons will 'ave you

Christian Berger
Silver badge

Re: Actually there were virtually no problems at the Chaos Comunications Congress...

Well but the Chaos Communications Congress is not _that_ much smaller. Last time it was 15000 people.

0
0
Christian Berger
Silver badge

Well DEF CON is something different to your typical European conference

For example in Europe you typically leave your company at home, while DEF CON seems to be extremely uncritical about sponsoring. As far as I've heard they even had a smartphone provided by Facebook as a badge.

Also another problem seems to be the different attitude about alcohol. In the US people under 21 may not drink alcohol. That is rumoured to result in binge drinking at those events. In Europe the attitude towards alcohol is much more relaxed and even children have nipped a bit of beer provided by their parents. Therefore on European hacker conferences there are rarely people who had far to much alcohol.

3
2
Christian Berger
Silver badge

Actually there were virtually no problems at the Chaos Comunications Congress...

... particulary as there was no formal Code of Conduct. Having an elaborate Code of Conduct essentially invites such behaviour. It turns interactions with people into a game of how far you can go while still staying within the lines.

The more sensible solution is provide help to anybody who is in need. For example during CCC events there is a helpline anyone can call if they feel misstreated. They also have volunteers to resolve those problems.

The main point here is to react when there is a problem, not to proactively impose rules because someone thinks there may be problems. You rarely can solve problems before they exist. Also Twitter is not the real world, Twitter mostly is a way of public interaction which brings out the worst in people.

7
0

UK comms revenues reach all-time low of £54.7bn, as internet kills the TV star

Christian Berger
Silver badge

BTW Fax is at 4,2% of calls

and 1,6% of minutes.

ISDN data calls at at 0,15% of calls and 0,016% of minutes.

Both numbers come from an unnamed VoIP provider. Obviously Fax and data calls are typically shorter than voice phone calls.

0
0

Sitting pretty in IPv4 land? Look, you're gonna have to talk to IPv6 at some stage

Christian Berger
Silver badge

Re: Overly Gloom and Doom 90's Predictions

IPv6 doesn't break anything, it's just a new network. If you want to say with IPv4 that's fine, but don't complain about the people that move on, either because they just don't have IPv4 addresses, or because they want to have something that works.

And unlike older networks like the Telex network, the X25 network or ISDN, IPv6 doesn't really have any serious disadvantages over IPv4. It's not like IPv4 was isochronous or provided you with identifiers a governmental organisation guaranteed you or anything like that.

I mean people still operate "Mailbox"-style services you can access via your modem. That's still a thing. People also still exchange medium amounts of data (e.g. the print files for a newspaper) over bonded ISDN channels. There's no reason why IPv4 goes on for decades in niche usecases.

0
1
Christian Berger
Silver badge

IPv6 is probably best thought of a separate network...

...which it technically is. It just shares some infrastructure (like DNS) with the legacy IP network. Don't even try to think of it being the same network. This saves you from lots of headaces and suddenly things make sense. Like if you cannot call an IPv6 phone from a legacy IP phone, you know that that call needs to go over some sort of gateway between the different networks.

8
1
Christian Berger
Silver badge

Re: Never!

"Have you tried pushing an unexpected connection through a NAT router?"

Well that usually doesn't work when you want it to work... usually thanks to ALGs you can sometimes get it to work by spoofing some data on a seemingly unrelated connection. (i.e. downloading a file over HTTP which contains FTP commands)

1
3

Amazon, ditch us? But they can't do without us – Oracle

Christian Berger
Silver badge

Re: Oracle is historic legacy software for Amazon

"However, doing this kind of thing for its own sake or for the possibility of saving money is not enough as it means you now have to maintain an inhouse solution for non-core software."

Well if you are as big as Amazon, having your own custom software for your internal use might be something cheaper. After all instead of paying "per seat" you will only have to invest a flat fee. Also customizing "off the shelf" software often is more expensive than writing your own dedicated package. A good example here is SAP and Lidl where the customisation of the "off the shelf" package cost 500 millions! BTW I do think that ERP is a core function of any larger enterprise.

So yes they are also going to offer it as a service, as they do with most of the things they buildt for themselves, but that's just an extra bonus.

10
0

Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver

Christian Berger
Silver badge

I don't really think it's a module vs compiled in issue

I think it's an issue wether it should be in the kernel repository. After all most drivers in there can already be compiled as modules.

I don't think it should be compiled in, however if its compiled in you could potentially make a VPN server/client without a file system. That would be an interresting idea.

2
0

Microsoft devises new way of making you feel old: Windows NT is 25

Christian Berger
Silver badge

It is also spelled MikeRoweSoft.

6
2
Christian Berger
Silver badge

Well cutting the old cruft didn't really work

One of the main selling points for any version of any product from Microsoft was that you could run your software from previous versions.

That's why Windows NT still contained the incredibly messy WinAPI which, because it had no way of generalizing things, had a function for every feature imagined by the creators, as well as data structures where the things you were interrested in were declared "reserved do not use". The API was so bad that people resorted to reading the stack in callback functions to get more information from the system.

Then you had features deliberately put in to harm your competition by making it harder for them to implement them. SMB is said to have quite some feature duplication, apparently developers didn't read their own code.

The problem for Microsoft is that they cannot get rid of this. Any change means loosing backwards compatibility. Any loss in backwards compatibility means that wine and ReactOS will look like better alternatives.

8
0

Nokia: Oops, financials aren't great. Never mind, 5G will solve our woes

Christian Berger
Silver badge

Re: Nokia 5G

"but it's public information that their ReefShark 5G chipset uses Intel 10nm so I wouldn't bet on this rolling out any time soon."

That would be a phenomenially bad decision, however considering that "Nokia Networks" is both a child of Nokia and Siemens this becomes absolutely plausible.

For reference, Siemens spun out their semiconductor department to Infineon... then Infinieon spun out their memory chip department to Quimonda which then went bust in the next cycle.

Siemens Healthcare also re-branded itself as part of a employee demotivation campain into "Siemens Healthineers". Complete with a dance routine:

https://en.wikipedia.org/wiki/Siemens_Healthineers#Controversy

0
0

IBM Watson dishes out 'dodgy cancer advice', Google Translate isn't better than humans yet, and other AI tidbits

Christian Berger
Silver badge

What I'm always missing in the AI hype...

...is how a particular achievement compares to some other approach, i.e. some carefully written, but otherwise trivial program, or some conventional statistics.

4
0

'Prodigy' chip moonshot gets hand from Arm CPU guru Prof Steve Furber

Christian Berger
Silver badge

Re: CPU complexity

Well there is the idea of "data-flow" based computing where you have lots of simple processors, each one with its own RAM and fast links to the others. The idea was to split up your problem into many small parts and make those run as part of a pipeline.

The problem is that this is conceptionally verry different to a PDP-11, so C(++)-Code won't run efficiently on such a machine. The solution back then was to use specialized languages like Star-LISP.

Of course today with the dominance of Unixoid systems, shell scripts could actually be a solution. Just let each of the C-based utilities run on its own core, only communicating via pipes with the others.

1
0

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week

Christian Berger
Silver badge

Considering the insane budgets...

... that secret services an Bubble 2.0 companies have, he can be forgiven for believing that that's feasible. After all that's probably at least in the same order of magnitude than the Apollo program.

9
2

Your 60-second guide to security stuff Google touted today at Next '18

Christian Berger
Silver badge

Re: Two-factor while holding a gadget

Well things on your phone are a different category, it's "what everyone else knows, but you".

After all all the "security" mechanisms in mobile OSes are there to keep the user out. The manufacturer or even app developers can still more or less freely spy on you.

4
1
Christian Berger
Silver badge

To be honest, protecting GMail is like...

... putting a high security padlock into a paper bag. Yes, you can protect one aspect of it, however since such webservices always have to have an "I forgot my password" option, there's usually an easier way to bypass those restrictions.

3
3

You can take off the shades, squinting Outlook.com users. It has gone dark. Very dark

Christian Berger
Silver badge

Re: OLED power usage?

You are confusing OLED with LED. "LED"-screens are just regular (usually TFT-) LCD screens with LED backlights. Any OLED technology will actually have pixels lighting up and no backlight. In fact there are currenty OLED lamps actually being made.

You can see that when you look up the datasheet of any OLED display. Here's one example of one not claiming to be AMOLED.

http://cdn-reichelt.de/documents/datenblatt/A400/DS_OLED_EA.pdf

As you can see there's no

AMOLED essentially is just OLED with extra transistors. Apparently those are used (with capacitors) to actually store the image on the screen, and to control it by constant current instead of scanning it.

2
0
Christian Berger
Silver badge

Re: Yay, technology

Actually even earlier than that, however early browsers just used the system colours to display websites... and had a way to control each of the fonts used.

0
0

Intel Xeon workhorses boot evil maids out of the hotel: USB-based spying thwarted by fix

Christian Berger
Silver badge

Re: and in other news

"But then the system wouldn't boot as your encryption keys for Secure Boot are in the TPM."

If you just want got get around Secure Boot, that's trivial. You replace the whole computer with an identically looking one. This computer only asks the user for their password and sends it via radio to you. It will then pose as if the password is incorrect or the computer is broken.Then you have both the original computer and the password, which you can use to get all the data...

The pro attack then will swap the computer back, the user will think they momentarily forgot their password and will be to embarrassed to ever report it.

0
0
Christian Berger
Silver badge

Re: and in other news

Actually what's best is to use nailpolish with glitter or stripes photograph is and place to the photograph as an ad into a newspaper. That way you'll have a constant public hash of your security measure.

BTW there's little else you can do otherwise against "evil maid" attacks, since that maid can just as well replace the mainboard.

Of course the failure on Intels side is to expose the debug interface on some connector that's actually moderately usefull for other things, so removing it is hardly ever an option.

5
0

Quantum, Linux and Dynamics: That's the week at Microsoft, not a '70s prog rock band

Christian Berger
Silver badge

Re: Powershell on Linux

"So I think it's safe to say that Powershell is relevant for way more SAs that Bash is these days."

Well for Windows SAs that is, how however long Microsoft decides to still ship products that need SAs.

3
1
Christian Berger
Silver badge

Re: re: don't bother trying to reinvent wheels that have been invented better elsewhere.

Ohh BTW, one should not forget that programmers and language designers can have different ideas on what an object is. Recently quite some Java programmers realized they had a somewhat different idea about objects than the language designers. The result was that they happily piped around objects over the network resulting in lots of pwnage.

1
2
Christian Berger
Silver badge

semi OT, Windows song

There actually was (is?) a duet of singers calling themselves "The Windows" and they predate the Microsoft product by nearly a decade.

Here's "How do you do?":

https://www.youtube.com/watch?v=TcCxC_-ABFs

2
0
Christian Berger
Silver badge

Re: re: don't bother trying to reinvent wheels that have been invented better elsewhere.

"How is piping text between commands better than piping objects?"

It's by far easier to implement, particularly cross programming language as different programming languages tend to have different ideas on what an "object" is. (or in fact different programmers of the same language)

Text is the lowest common denomitor. You can process in any language, and you can both easily read and write it by hand.

Simplicity is important, it's what made Multics and OLE on Windows basically disappear.

14
2

Dust yourself off and try again: Ancient Solaris patch missed the mark

Christian Berger
Silver badge

Oracle still exists?

Didn't they close down the shop in 1992?

Here's a source for that:

https://en.wikipedia.org/wiki/ORACLE_(teletext)

First airdate from 1978

Closed 31 December 1992

6
0

Here's why AI can't make a catchier tune than the worst pop song in the charts right now

Christian Berger
Silver badge

Re: I get this completely

Well yes, but no performer performs a piece by typing in sample values into a text editor and then then converting that to a wav-file.

Performers don't think in terms of actual samples, they think in tones, and while they may think of them in ways standard notation cannot convey, it's still tones to them, not samples. Just like painters don't think in pixels, but brush strokes and shapes and such.

2
0
Christian Berger
Silver badge

Re: I'm actually surprised that it works on raw samples at all

"What was the actual output format? Surely the AI didn't hear piano WAV and emit a WAV with individual sounds exactly like piano keys?!"

Apparently they did exactly that. This is the second paper I've seen which did that. It's not a smart thing to do, but given enough CPU power you can probably get away with it.

3
0
Christian Berger
Silver badge

Re: Well mixing should not occur

"If there are two pure sound sources in air at two different frequencies - then the "beat" frequencies will also be heard if they are within the audible range. That's the basis of polyphonic singing."

Well but that's strictly not "mixing". What you have here is your ear/brain-system interpreting 2 tones at close distances as one tone which is changing in intensity in a certain way. That's simply because that's essentially the same thing.

The ear/brain-system interprets the signal in certain ways. It's a bit like that triangle pointing downwards in this picture:

http://www.whatispsychology.biz/kanizsa-triangle-illusion-explanation

You could argue that it's objectively not there. You could however also argue that it is there, because all 3 corners are plainly visible.

The same can be said about beat frequencies. Yes, they objectively exist if you look at the envelope of the resulting signal, but no, if you look at the spectrum it does not exist.

0
3
Christian Berger
Silver badge

Re: They cracked this in the 70's

I think they are nearly a thousand pounds, aren't they.

However to be honest the musical numbers composed by it never quite got out of the UK. Even "Little Mouse" is barely known in Germany, for example.

4
0
Christian Berger
Silver badge

Re: Composing

We are in a current hype where fast results seem to be more important than trying something productive. Simply using samples requires the least amount of work by the scientists. Digitizing sheet music, or writing a parser for MIDI-files is much harder.

8
0
Christian Berger
Silver badge

Re: I'm actually surprised that it works on raw samples at all

I actually think that moving to raw samples is a rather bad thing to do. After all that greatly increases the complexity of the problem by adding lots of irrelevant information.

I mean no animal on earth hears by samples, they all hear by intensity over frequency and perhaps phase differences between different bandpass filters. Musicians also don't output samples, but manipulations of instruments.

11
0

No big deal... Kremlin hackers 'jumped air-gapped networks' to pwn US power utilities

Christian Berger
Silver badge

It's most likely a combination of the following...

Gaining access to unrelated systems in order to know about the social graph of the target.

You then use that information to pose as a trusted partner, e.g. the vendor of the software, and send "updates" or office documents with which you can infiltrate the system.

This can be done via e-mail or, depending on the typical way software updates are distributed, postal mail. If your vendor sends you software updates via mail, sending a fake update which looks the same as a real one won't raise any suspicion and it will be installed.

BTW probably _all_ secret services do that kind of thing.

10
0

Forums

Biting the hand that feeds IT © 1998–2018