* Posts by Christian Berger

4038 posts • joined 9 Mar 2007

Sigfox doesn't do IP and is therefore secure, says UK IoT network operator

Christian Berger
Silver badge

It depends

It depends on what you mean by "secure". Yes I can sniff and spoof your IR remote, but I'll never get it to DDOS something without touching it.

Security depends on threat models. Railway systems, for example, don't need confidentiality. Some signals may even be spoofed without affecting safety. (For example a Stop signal)

Security is not a box-ticking exercise. It's about finding the threats and finding ways to counter them.

0
0
Christian Berger
Silver badge

Well there are different threat models in the IoT world

For example you have sensor networks which collect, essentially public information like temperatures or water levels of a river, or if a lamp is broken. It doesn't matter if someone listens into them, it does matter if someone can spoof those messages.

Now with such "fire and forget" networks, and there are many of them, you essentially have unidirectional data traffic. There is no need for an underlying bi-directional connection as there is no need to have acknowledgements. Having no input is a good way to keep malevolent input from compromising your device.

The security problem obviously lies in the actual network infrastructure. The sane solution would be for the base stations to e-mail the messages to the owner of the IoT device. If done well, they'd be encrypted and or signed via PGP/GPG and arrive at a server which checks the signature and processes them further...

...judging by the current experience level of many IoT people, they probably use some bloated cloud system with huge attack surfaces consisting of hundreds of web services, each done more incompetently than the previous one.

3
0

Compsci grads get the fattest pay cheques six months after uni – report

Christian Berger
Silver badge

Actually

If there are tuition fees, and students therefore have significant debt, the employers will have to pay for it.

Money doesn't depends on value, it only does in economic fantasies. I mean look at sales-people of stock traders. Those get paid part of their money by sheer luck. People actually buy Apple products.

BTW, 6 works out of university doesn't mean they only have 6 month of working experience. I for one, have worked for several years before even starting to study.

3
2

Microsoft and Facebook's transatlantic cable completed

Christian Berger
Silver badge

Re: It's happened before

"Repairing broken cables involved dragging miles of cable to the surface, slicing it into two pieces and looking which side the light came from, then repeating this on the broken side until light was found again, then splicing in a new section."

You'd think they have some sort of management system or at least an OTDR to help them find that place faster. After all, every cut means additional attenuation which means more noise and therefore, in the long run, more problems with more advanced modulation schemes.

0
0
Christian Berger
Silver badge

Well bits are bits (or Shannon, depending on the context), while 8 bits are an octet, not to be confused with the octothorpe key on your telephone.

1
0

Ethereum-backed hackathon excavates more security holes

Christian Berger
Silver badge

That's why you should avoid turing complete languages when possible

The smart contracts in Bitcoin apparently don't have them, which makes them much safer.

3
0

Has science gone too far, part 97: Boffins craft code to find protesters on social networks, rate them on their violence

Christian Berger
Silver badge

I wonder if that distinguishes between...

property damage and violence. At least in according to German law, violence can only happen against people...

Or to quote the words of German satirical author "Mark-Uwe Kling", "Yes, there is a big difference, because the radical right is burning aliens, while the radical left is burning cars... which is WORSE, because it could have been MINE. I don't own any aliens."

14
0

FedEx: TNT NotPetya infection blew a $300m hole in our numbers

Christian Berger
Silver badge

Re: 300m? .. How may 'IT Pros' would that pay for?

"competence does not come cheap."

That's not fully true, incompetent people aren't necessarily cheaper than competent ones, because they suffer the Dunning Kruger effect and believe they are highly competent.

0
1
Christian Berger
Silver badge

Well lets estimate

Well at 100k of costs a year for a decently competent employee, that's 3000 man years.

The Cray 1 supercomputer took about 100 man years to develop, so did the 6502. So depending on how to do it, you can design the hardware for your own computer with 200 man years.

Software is a different question, but writing a UNIX-clone takes a few man years. I know that because I've started writing one based on the FreeRTOS operating system and I got rather far in about half a year. So if you build your software with state of the art security, i.e. making it mostly provable, it'll take something between a hundred and a thousand man hours.

So essentially they could have gone the route of developing their own systems for exactly their own purposes with state of the art security for less than this cost them. They then would have been sure that there were no fileservers running they don't want. They would have been sure that their e-mail client wouldn't execute word macros, etc.

1
1

UK Prime Minister calls on internet big beasts to 'auto-takedown' terror pages within 2 HOURS

Christian Berger
Silver badge

It makes sense when looking at it from the other side...

... I mean such "Anti-Terror" laws are great for eliminating public outcry about other topics. The public in the UK probably should be on the street demanding better social systems and similar things. With those laws you can simply lock away people you don't like.

This has been done in Germany already at the Anti-G20 protests in Hamburg. Just claim that protesters were violent, surround them so they cannot flee, then arrest them.

23
3

Manchester plod still running 1,500 Windows XP machines

Christian Berger
Silver badge

Re: Entirely unrelated to reduced funding by central government…

BTW here's a nice anti UNIX rant from 1985

https://youtu.be/0DdoGPav3fc?t=21m45s

It also highlights one point unixoid systems had back then, since software was distributed as so-called object code, which is the output of the compiler. Obviously that's not portable.

2
1
Christian Berger
Silver badge

Re: Entirely unrelated to reduced funding by central government…

"Not unless you consider it a good use of the "big back end system" to be taking an interrupt for every character typed and keeping a map of the screen contents so that it can redraw it when the noisy and unreliable async connections suffers a parity error."

a) There's ethernet now, as well as port concentrators.

b) The redrawing is done by ncurses, which is still magnitudes simpler than most web frameworks

10
0
Christian Berger
Silver badge

Re: Entirely unrelated to reduced funding by central government…

"I mean, it's how it should be, right? It's going to keep working forever, practically."

Well that's a general trend in IT and perhaps other areas. Why make something simple when you can make it more complicated? If course we'd be better off if we ran business systems of text-mode interfaces. However in the 1990s there was this bizarre trend towards Windows and "distributed computing", since suddenly PCs were cheaper than terminals, and Unixoid systems were more expensive than a computer running Windows 95. Also there was a time when Unixoid systems were seen as "lagging behind". Of course with Linux and *BSD this has changed a lot.

11
0

Chap tames Slack by piping it into Emacs

Christian Berger
Silver badge

Re: So... what's the big point for slack?

You know that gives me an idea. Wouldn't it be interresting to have am "IT Security and/or Engineering"-doll? Kinda something that could act as a role model toy for children. Perhaps even with a Free (as in speech) design you could print out.

4
0
Christian Berger
Silver badge

So... what's the big point for slack?

I mean you depend on a single company for your communications. They can easily listen into this, and if they go down, or they simply don't like you anymore, you're cut off.

Meanwhile on IRC you can simply run your own server.

So what is the big advantage evening out all the disadvantages?

10
0

UK PC prices have risen 30% in a year since the EU referendum

Christian Berger
Silver badge

Re: Markets are mostly psychology

"Protip: it's not the 1600's any more, the UK is not an empire. UK needs EU more than EU needs UK."

Yes, but the EU rarely decides on what's best for the people. After all, if those in power would have thought that way, there wouldn't have been special rule after special rule for the UK. It's hard to imagine that that mindset is suddenly gone.

And that agreement would for 2 things, the Commission could boast that they got 20 Billion from the UK and nobody would question how much the actual debt was, and the UK would get it's special treatment.

10
38
Christian Berger
Silver badge

Markets are mostly psychology

The UK has it's own currency not fixed to the Euro or the Dollar. So essentially now people invest less now in the UK as they believe that their investments will be worth less after the Brexit. After all if you open a factory in the UK it's much less usefull when you cannot sell to the EU. Therefore the demand for GBP is falling, therefore the price is, too... which means you have to pay more GBP for something with a fixed dollar price.

The whole thing wouldn't be much of a problem if the UK still had a big manufacturing sector, but that was apparently killed during the Thatcher Era.

BTW it doesn't matter how the Brexit will actually turn out what matters is what investors will believe the Brexit will turn out.

(OT: My prediction is that there will be an agreement, the UK will pay back 20% of its debt and will get special treatment in exchange for it)

40
3

Outlook.com looking more like an outage outbreak for Europe

Christian Berger
Silver badge

Re: O365

We live in a sad world where Exchange is seen as a competitive solution for E-Mail.

8
0
Christian Berger
Silver badge

This is e-mail, it shouldn't be complicated

All those protocols are text-based and, by todays standards, utterly trivial.

However we have a tendency for people to make trivial things more and more complex, up to the point when they fail. This is why we got webmail, and this is why some webmail providers try to complicate matters even more by putting their webmail servers into the "cloud".

If you have important e-mail, get to a reputable provider, pay your xx Euros a year and use IMAP4, not webmail. It'll just work, it'll be lightning fast and you'll have next to no outages.

5
0

What do you call an all-in-one PC that isn't? 'Upgradeable', says HP

Christian Berger
Silver badge

Or buy the HP-Z1...

... which is one of the few all-in-one PCs where people where actually trying.

https://de.ifixit.com/Teardown/HP+Z1+Teardown/8840

0
0

VMworld schwag heist CCTV didn't work and casino wouldn't share it

Christian Berger
Silver badge

What if they (deliberately) mislayed them?

I mean clearly Nutanix got way more publicity from that than what those badges cost.

It's kinda like that prototype iPhone one of the managerial staff "forgot" at a night club.

4
3

Fancy that! Craft which float over everything on a cushion of air

Christian Berger
Silver badge

I think I've first heard of hovercrafts as a child on Austrian TV

Austrian TV channel ORF1 had this wonderful Australian programme, and I think this is the exact part of it:

https://www.youtube.com/watch?v=BIjYIPoE4_E

Of course it was dubbed, but since Australia also uses PAL, it didn't have to go through an expensive format change.

1
0

Apple: Our stores are your 'town square' and a $1,000 iPhone is your 'future'

Christian Berger
Silver badge

"Yeah they fixed it."

Then you use a mask. For every sensor there's a way to fool it.

13
1

Another reason to hate Excel: its Macros can help pivot attacks

Christian Berger
Silver badge

Now add to that, that there was OPC

OLE for Process Control required OLE and DCOM to be enabled before the recent switch to OPE-UA (which uses some sort of XML over HTTP).

However since process control systems run for decades, it's very likely that many highly critical systems still use that.

3
0

The new, new Psion is getting near production. Here's what it looks like

Christian Berger
Silver badge

Yes, but then you'd have...

Android or iOS or any other of those cut down, but highly complex mobile telephone OSes, which achieve so little with so much effort.

4
1
Christian Berger
Silver badge

Simple, it's an actual Linux

I mean you can just run a normal Linux distribution on it. You no longer have to work with a cut-down Linux with pseudo-security features which protect the business models of app-developers while completely ignoring the user.

5
0
Christian Berger
Silver badge

Re: other devices also now available?

Yes, though that manufacturer got a bit of a bad reputation for the previous model only supporting Windows 10. This one is anounced to support Linux.

2
0
Christian Berger
Silver badge

Re: No Google?

"Is it a phone, though?"

Seriously, if you want a mobile phone there are hundreds of sub $50 devices out there which will do just that.

0
0
Christian Berger
Silver badge

Re: Sony Vaio P

Well Sony Vaios always had the problem of having exotic hardware so you're stuck with the vendor approved version of Windows.

4
0
Christian Berger
Silver badge

Well

Chromebooks are rather locked down devices which require you to jailbreak them... resulting in what's essentially a bog standard laptop. The default software on Chromebooks is essentially a Google-client.

The great advantage of this is its form factor. It's essentially a laptop, but much smaller. And it's not as locked down as Android, so you can actually _do_ stuff with it.

7
1

Achtung! German election tabulation software 'insecure'

Christian Berger
Silver badge

Re: I love CCC

Decades actually. Here's a report of a hack on the German "Prestel" called "Bildschirmtext" or BTX.

https://www.youtube.com/watch?v=TOflxejp4Z4

Essentially they got the login of a bank, and set up a relay to call their donation page over and over again.

7
0
Christian Berger
Silver badge

Re: It's actually very incompetently made

They gave _lots_ of money to very incompetent people. This was of course made by a private company.

6
0
Christian Berger
Silver badge

It's actually very incompetently made

Including a Logo that's clearly Word-Art, and claims like having a "non-indexed database".

It uses HTTP to upload the data to a central server... where there's a PHP script taking the data. It uses password protection, but those credentials are test/test or gast/test, or test2/test2...

This is the homepage, BTW

https://www.wahlinfo.de/

9
1

Facebook claims a third more users in the US than people who exist

Christian Berger
Silver badge

Well of course it's mostly fake accounts

Just look here:

http://www.wolframalpha.com/input/?i=facebook+users+per+world+population

while they made great efforts to cut them down, there's still plenty of them.

0
0

Secure microkernel in a KVM switch offers spy-grade app virtualization

Christian Berger
Silver badge

BTW, verified Kernels mean only very specific things

A verified kernel might prevent your USB stack from overwriting other code, but it's not neccesarily going to prevent you from having parts of your USB stack overwrite other parts, and therefore eliminating the "data diode" on the USB ports.

Additionally this implementation encodes window positions in separate pixels which is both error prone (some graphics cards rescale/gamma-correct their framebuffers before sending it to the screen) and another interface and therefore attack vector.

In any case, it's what I suggested as a response to this talk here:

https://media.ccc.de/v/MRMCD2014_-_6037_-_de_-_tiefbaustelle_s21_-_201409071330_-_end-to-display_verschlusselung_zur_absicherung_von_industriespionage_-_sango

2
0
Christian Berger
Silver badge

Re: What I don't understand is why that needs an OS kernel?

"You also need to direct the input to appropriate machine, and how do you know which machine that is?"

Actually that's what I've tried to explain in my OP. You can either use the mouse position, or have some sort of focus system, where you have, for example, a row of buttons on the KVM where you can select one of the systems to have all input. If you set your background to "transparent", you can even draw a border around it, or grey out all the other systems.

"WEY-TEC USB Deskswitch II does not work with Topre Realforce keyboards"

Most KVMs today on the market have horribly bad firmware, cobbled together by people who have no idea what they are doing. There are many KVM switches which essentially crash when you select an input with no video coming in.

3
0
Christian Berger
Silver badge

What I don't understand is why that needs an OS kernel?

After all this can essentially be done by video mixing, something that TV studios did since the 1960s.

Essentially you'd sync all sources together, either via genlockable graphics cards, or via a separate framebuffer on your mixer. (no CPU intervention necessary, this can all be done in hardware). The framebuffer can even do things like scaling resolutions, or cropping video.

Then you define a "transparent" colour, as well as a priority list for all those layers. Every 8 or 16 Bit 1990s games console did that in hardware.

The only thing that actually needs a CPU to touch actual data is the system that determines the mouse position and distributes the mouse and keyboard events accross the individual systems. And that code is rather trivial. It only needs to translate the position information into absolute coordinates, ask the hardware what system is at a certain pixel, and forward it to that system.

0
7

Networking vendors are good for free lunches, hopeless for networks

Christian Berger
Silver badge

Re: Essentially its about detecting crap

Well yes, but replacing equipment while it's running in the field is very expensive, and most vendors will try to weasel themselves out of their liability. Essentially it would mean that you have to do extensive fault analysis on a device which is currently running on a productive system.

Most companies won't even have the equipment to fully diagnose a problem like a faulty implementation of Ethernet link negotiation. Without that most vendors will simply shrug off the problem as they can always blame it on other components.

0
1
Christian Berger
Silver badge

Well we do have a different problem now

We have simple solutions to simple problems, but then someone claims there to be some usecase that doesn't actually exist (or only exists because of stupidity) which results in people replacing something simple with something _much_ more complex.

Typical examples are HTTP/2, SystemD or UEFI.

0
1
Christian Berger
Silver badge

Essentially its about detecting crap

Unfortunately we live in a world with lots of crap. So as always:

Use well defined standards with more than one implementation.

Check for interoperability

Avoid having only one vendor

Avoid people who buy you lunches, their only useful function to you is to lend you equipment for tests.

2
0

Apache Struts you're stuffed: Vuln allows hackers to inject evil code into biz servers

Christian Berger
Silver badge

Isn't serialization something inherently scary?

I mean you turn an object, which can contain both data and code, into a binary blob, then you turn that blob back into data... and code. I mean if you send that binary blob accross the network, you should at least be scared that it's not compatible between different versions of your code.

0
0

What's your flava? Ooo, tell me what's your flava... of Ubuntu

Christian Berger
Silver badge

Does KDE work now?

So far in the last decade or so, every KDE installation I've seen over various hardware devices and various software versions, from SuSE to Kubuntu had severe display problems. This starts with rounded borders of windows having messed up backgrounds and goes on to actual crashes.

Has this been fixed now?

3
1

Flying electric taxi upstart scores $90m from investors

Christian Berger
Silver badge

Well their visions cannot work

There are lots of companies like this one. Usually their main selling point is that they will allow you to get around traffic jams... however...

The air might look like it has a huge capacity, but you have greater speeds and a less stable system which forces you to have higher safety margins... which means traffic jams again.

Any increase in capacity usually results in more traffic filling it.

1
0

Retail serfs to vanish, all thanks to automation

Christian Berger
Silver badge

Well It might go another way

Instead of the "Singularity" we might get the "Crapularity".

We experience technology working less and less well. Ask a 1980s programmer to make a little database table editing program, and they'll write a few lines of dBase. As a 2017 programmer and you'll get several Java or PHP frameworks cobbled together which might, if everything was done competently, be as good as the 3 line solution from the 1980s.

This is what we get today. Things become more and more complex. Where you used to have a simple manual listing commands to drive a peripheral, you now have huge software abstraction layers which usually lack the function you want to have.

Currently companies like Google or Amazon still get the people who know how to solve a problem as simple and flexible as possible. It's unclear if this will continue. Eventually those people will retire and unless we ramp up education, there might not be a generation which grew up with actual computers.

0
0

It's official: Users navigate flat UI designs 22 per cent slower

Christian Berger
Silver badge

Back in the olden days...

... you had rooms full of laypersons doing essentially what that study did, but before you shipped. Companies like Xerox even went so far as to teach children and Disney animators how to program.

21
0
Christian Berger
Silver badge

Re: Personally

Well there is more than just the number of participants that is relevant. The study could have some serious flaws...

...however the results of the study are exactly what you'd expect from a GUI which removes important visual clues to how it works. Just imagine having a room with an invisible touch sensitive sensor instead of a clearly visible light switch. You probably still touch the right space on the wall many times, but if you don't, it's hard to see where you should have touched it.

65
1

Smart meters: 'Dog's breakfast' that'll only save you 'a tenner' – report

Christian Berger
Silver badge

Smart Meters would be cool...

... if they could send their values to my MQTT server and only a yearly total to the power company. Perhaps if the local grid company needs it, it could also send it's current power anonymously over the power wires.

That's something I would pay that money for.

2
0

It's happening! Official retro Thinkpad lappy spotted in the wild

Christian Berger
Silver badge

Those displays are custom made anyhow

So having a different aspect ratio shouldn't be a problem. I for one would like to have a communicator shaped one with a 800x240 or something display.

0
0

'Independent' gov law reviewer wants users preemptively identified before they're 'allowed' to use encryption

Christian Berger
Silver badge

It's not about those who can use netcat

"Because as we all know, it's impossible to send encrypted data across the internet without a social media/email account."

This is not about the technically adept. This is about the layperson. The whole idea is to condition normal people into compliance, a few freaks who know how to use computers don't count.

2
0

Asterisk bugs make a right mess of RTP

Christian Berger
Silver badge

Re: But its open source!

Asterisk probably is one of those prime examples of "Open Source" vs "Free Software". It's essentially developed by one single company which is very picky with even patches that would be sensible. (like the Opus Patch that's floating around)

0
0

Forums

Biting the hand that feeds IT © 1998–2017