* Posts by Christian Berger

3728 posts • joined 9 Mar 2007

Linux is part of the IoT security problem, dev tells Linux conference

Christian Berger
Silver badge

Yes, but that's actually a general trend

We see more and more idiotic standards around. With the availabilities of libraries for just about any usecase, it seems trivial to just cram them together instead of making your own lean and simple purpose built protocol.

As with most security problems, it's probably caused my immature programmers. Every programmer has an urge to build complex "castles in the sky". Mature programmers have learned to control that urge and funnel it into creating simple but flexible systems.

In a way one could say that using Linux for systems which could work with some much smaller RTOS is a problem, particularly when you run additional services on it, but any decently mature developer will try to avoid having such unneeded services in favour of a serial port on a pin header on the board.

12
0

Congrats, PC slingers. That's now FIVE straight years of shrinking sales

Christian Berger
Silver badge

The markets are moving

In the last years we had several markets focusing on the PC.

We had the "home user" who previously had a home computer, but moved to the PC when it was promising more "bang for the buck" than an Amiga. Those people are now moving to Android.

We had the "office user", a traditional PC market which gained some traction when it was joined by the people who found out that you can use a PC as a terminal for some AS400 system. Those now experience longer product lifetimes, and Windows getting much less useful for them from version to version. This goes as far as there being serious legal doubts if Windows 10 could be used in a German workplace because of all its spying. So a new Windows PC is a tough sell there.

Then there's the "workstation" market. Those people bought UNIX-workstations and moved to PCs when they were cheaper and offered memory management (protected mode). Those are running Linux or some BSD on a PC, or also work with Macs or Windows with cygwin installed. Their future is uncertain, but if everything fails they'll probably move to servers and Raspberry Pis. A PC would have to be much better than the one they are using now to warrant a change... and particularly with things like UEFI that's not likely to happen.

3
0

Digital video recorder installers master password list 'leaked' – claims

Christian Berger
Silver badge

In the past people said that you should never write a password onto the computer its valid for

However compared to master passwords, that seems like a really good idea, since once you have physical access to the device, you could as well just pull out the harddisks from the RAID and read the data that way.

0
0

Fedora 25: You've got that Wayland feelin', oh, that Wayland feelin'

Christian Berger
Silver badge

The problem is that there are people percieving problems

...and wanting to solve those problems, as it means a way of expressing themselves. Having your code in a major OpenSource software project gets you noticed and gets you a decent job.

However most of those people are to immature to actually improve the situation. At best they come up with something that has different problems, at worst they open up a new dimensions of problems which will be fixed by yet another project. (see OSS vs ALSA and Pulseaudio)

If I was to make such a "windowing system" I'd take a look at what other, more innovative opterating systems have done. One example is "Plan 9" which exposes (virtually) all APIs via virtual filesystems. So you have a "main" directory which represents your screen, and every window would be a subdirectory. Inside those windows you could, for example, have your GUI elements as individual files/subdirectories. Since this works with basic file IO routines it's language independent and you can, for example, have a GUI toolkit that has elements written in different languages running as different processes. Since you have a file-based interface, you could even set access rights or export parts of that tree over the network. Essentially you get less code and get a much more flexible system. While speed might seem to be a problem when you first look at it, the use of mmap can easily solve that problem. However that's just my view of the world, unlike the "Wayland, Freedesktop, Systemd"-people, I do not think it's a good idea to force this on the world.

0
0

FM now stands for 'fleeting mortality' in Norway

Christian Berger
Silver badge

Re: It's not the first country

FM-transmitters are so simple to build yourself that it's virtually impossible to regulate them.

Broadcast Band II is kinda impossible to use for non proadcast applications as it's to low in frequency and to narrow for serious cellular applications. You could use it for paging... but then again our paging networks are already kinda dying.

6
0
Christian Berger
Silver badge

Re: It's not the first country

Who says Norway might not get back to FM? Or perhaps have a new generation of FM stations? Pirate stations perhaps. Since DAB covers Band III and FM covers Band II, there's no reason both standards can't coexist.

8
0
Christian Berger
Silver badge

It's not the first country

Australia already shut it down in 1961:

https://en.wikipedia.org/wiki/FM_broadcasting_in_Australia

3
2

Routine jobs vanishing and it's all technology's fault? Hold it there, sport

Christian Berger
Silver badge

Yes, but we've been good at making up work

We now have whole departments at large companies building management theories to justify that an appliance manufacturer needs manufacturing.

We have people who design developmental guidelines which completely miss the actual problems of developing a complex system and try to squeeze the process into an ideologic framework.

We have bad software taking more work to operate than to do the same job without their help.

We have outsourcing that requires more work to maintain and check the outsorced work than to do the job yourself.

We deliberately solve trivial problems as complex as possible to waste more and more work on them.

In short, we are currently doing a great job at making sure we all still work 40 hours a week, while the same amount of work could be done in 10 hours, by people using propper tools and being well educated and experienced.

0
0

Folders return to Windows 10's Start Thing

Christian Berger
Silver badge

The sad thing is something different

As a more professional user I personally do not care much for Windows. However Windows used to be one of the reasons why PCs were so cheap. That way you can spend only a few hundred Euros on a high quality PC, ditch the current version of Windows and install whatever operating system you want.

With the move to Android we see a fragmentation of the market. Every Android device is incompatible to the other. That's why it's so hard to get other operating systems for those. We now even allow hardware manufacturers to lock down their boot loaders to actively prevent you from running your own software.

4
8
Christian Berger
Silver badge

Re: Can you imagine Windows 95 going at the speed of today's hardware?

Well a Win2k or XP with all the security bugs removed would be great. Unfortunately for some reason Microsoft refuses to fix the bugs.

It's an unfortunate trend, that software now seems to remove more and more useful functionality, but still gets bigger and bigger.

10
0

Virgin America mid-flight panic after moron sets phone Wi-Fi hotspot to 'Samsung Galaxy Note 7'

Christian Berger
Silver badge

Actually it seems more like the cabin crew were idiots

I mean the chances of someone still having a Galaxy Note 7 and taking it on a flight are very slim. Even more so that it actually creates a WLAN with the name of the device in it.

1
1

Eating Brotli will improve Edge's inner health says Microsoft

Christian Berger
Silver badge

Puns only work...

...among the most simmilar words. That's why team isn't a pun on tea, even though they share the tea.

A better image would of course be something like this:

https://de.wikipedia.org/wiki/Br%C3%B6tchen#/media/File:Kaisersemmel-.jpg

4
0

Zuckerberg turns his home into Creepy Robot Buddy

Christian Berger
Silver badge

Wouldn't it be rather simple to have a door that keeps idiots out

Just take a photograph, search it in the Facebook database and if you find a match with an account, open the trapdoor.

7
0

Oi! Linux users! Want some really insecure closed-source software?

Christian Berger
Silver badge

Bigger jumps in Version numbers

There's an obscure operating system called Windows. It jumped from 3 to 95 to 98 to 2000 to 7, 8 and then 10.

22
1

Why don't people secure their IoT gadgets? 'It's not my problem'

Christian Berger
Silver badge

Re: The problem's in the architecture

Yes, I still believe that this might have something to do with immature programmers. They try to design giant and complex "castles in the sky", but then are unable to implement them properly.

However making product that are supposed to "just work" is responsible for many of those security problems. That is for example the why webcams try to instruct your router to open port forwarding for them.

4
0

Dear hackers, Ubuntu's app crash reporter will happily execute your evil code on a victim's box

Christian Berger
Silver badge

Re: Failure the Unix way...

Well one thing is true, on Unix you move those checks to the domain specific parts at the edges. So in so core of your program you don't have such checks.

However on Unix you also try to have simple formats. Formats that are simple enough they can be parsed with only very few lines of code. If you need more complex structures you try to use multiple files aranged in directories. Inside of a file you only have line based text separated with field separators. Inside the core, where nothing is problem oriented, you only deal with lines and fields.

1
1
Christian Berger
Silver badge

It's the start of a new generation

Slowly but surely we see the "Linux ecosystem" taken over by the same kind of people who took over the Windows ecosystem. People who haven't matured yet and therefore write code more complex than they can handle.

And this is one of those examples, they believed that they can handle complex file formats by outsourcing the parsing to an already existing parser... and fail in a really bad way.

10
3

Meet Hyper.is – the terminal written in HTML, JS and CSS

Christian Berger
Silver badge

While there may a serious usecase for a terminal in the browser...

... particulary since it allows you to make simple web applications much simpler and therefore much more secure, adding the bloat of multiple libraries and frameworks kinda eliminates the effort.

What would make sense would be a "DOM-Terminal" standard. A simple protocoll which turns the browser into a terminal you can send commands to, to modify your document tree.

0
0

Top tech company's IP was looted by China, so it plans to hack back

Christian Berger
Silver badge

Re: Hopefully no acronyms used

I once was at a company called BSH. They had an IT department....

0
0
Christian Berger
Silver badge

It's got nothing to do with money

Security doesn't necessarily cost money. Security requires a certain mindset, not spending money.

2
0
Christian Berger
Silver badge

Attribution is hard and usually impossible

You cannot trace back the origin of malware or an attack just like you cannot trace back the origin of a text. Of course you can say that a text is written in Chineese so it might come from China, but that's largely bullshit. Everyone can fake that...

...and this is the problem with "Cyberwar", anybody can trivially claim they are X and attack country Y so Y will strike back to X even though X is innocent. You don't need people to learn a foreign language, just compile your code on a Windows version from that country and rent a foreign server at a hosting company in that country and people will only find that.

So whenever you hear "Country X did it", there usually is a very flimsy chain of evidence behind it. It's virtually impossible to actually know where such an attack came from.

What we can do to prevent is is normal IT security. And that's _much_ cheaper than any "Cyberwar".

2
0

Remember that amazing video of the whale leaping out the gym floor and splashing down? Yeah, it was BS

Christian Berger
Silver badge

Well you need to do plausibility checks

And actually such augmented reality actually could, in theory, be possible if you extrapolate the technology we currently have, after all there's nothing absolutely impossible. You could, in theory, set up something like that with already existing equipment. It's just that often companies are simply not up to the task of doing it.

What I find more frustrating and noteworthy is that some people choose to believe other, more abstract, impossible things. For example some companies claim they can somehow build mobile devices that can store information "securely" without you entering a secure passphrase. This is obviously bullshit once you think about it. In order to encrypt and decrypt mass data you need to have some sort of a key. Now you either completely derive it from your passphrase (and some data being on the device), or you need to store it somewhere. All the data that's on the device can be read, even if it's on "security chips". All it takes is a moderate budget... which actually may be quite small for mass produced devices. (uncap the chip, add some traces on the FIB and you can brute force the PIN)

0
2

Real deal: Hackers steal steelmaker trade secrets

Christian Berger
Silver badge

Re: ThyssenKrupp said the attack was not attributable to security failings

"But some security failings can never be effectively policed, like moles."

No, but according to the accounts of people who worked there, they had extremely bad security.

https://www.heise.de/forum/heise-online/News-Kommentare/Massiver-Hacker-Angriff-auf-Thyssenkrupp/ThyssenKrupp-und-das-Maerchen-aus-der-Pressemitteilung/posting-29614397/show/

They didn't update their firewalls, they still used DES for their VPNs, they didn't separate their production LAN from their office LAN, etc...

"Is it really a security failing if it's one beyond anyone's ability to secure?"

You could as well ask if someone who hasn't learned to drive is responsible for the accidents they made. If you are unable to do something, maybe you should not do it... particularly not at such a company.

"Just like is it really anyone's fault if someone gets killed by a bolt out of the blue?"

No, but this is more like having your car unlocked and parked at a busy parking lot... and then complaining about it being stolen.

0
0

90 per cent of the UK's NHS is STILL relying on Windows XP

Christian Berger
Silver badge

Why not Windows PE?

Seriously it has all the features you need while consuming a low amount of system resources. There is no privacy concerns and it's even free.

I mean with Vista everybody knew that operating systems from Microsoft would go downhill. Even Windows XP had some serious disadvantages over Windows 2000.

One can also give this a totally different spin. Microsoft is charging money and system resources again for something they already delivered without providing any new functionality. They try to enforce them by refusing to fix any mistakes they made during the production.

3
5

China and Russia aren't ready to go it alone on tech, but their threats are worryingly plausible

Christian Berger
Silver badge

How many people do you need to build/design a computer?

The Cray I was built by about a dozen or so. So was the 6502. Considering you could go quite far by building something like a C-64, but with more modern production techniques, there would be a very plausible and efficient solution.

Just embrace simplicity and don't worry about efficiency at first. Efficiency is something that should only be considered early in the process if it gives you several magnitudes in speed. Split up your problems into domains, decide which domains need high security, run those on your own hardware. Find out the ones which do not and which require high speed (i.e. graphics output) and run those on isolated commodity hardware.

2
0

What can we use to hit Intel between the eyes, thinks Qualcomm – a 10nm ARM server chip

Christian Berger
Silver badge

Re: People don't buy x86 because of Performance or anything

"you *cannot* deploy an arbitrary Windows image on an arbitrary x86 desktop laptop server etc and expect the OS to work right."

Well that's actually a problem with recent (since 2000) versions of Windows. With other operating systems or even Windows PE, the version the installer runs on, this is no problem at all.

0
0
Christian Berger
Silver badge

People don't buy x86 because of Performance or anything

They buy Intel because there's a platform around it. It doesn't matter if you have an x86 processor from Intel or AMD or Cyrix, and it doesn't matter if you have a PC from Dell, Supermicro or IBM. You can use the same OS image everywhere.

Unless there is a decent stable common hardware platform, ARM will not get into the PC or server business. Nobody there can tollerate being limited in what OS you can use.

4
6

BlackBerry's final QWERTY floats past the rumour mill

Christian Berger
Silver badge

Blackberry never was an engineering lead company

If it was, they'd have an open standard allowing for 3rd party servers, right from the start. Their insistance on only allowing it to work with their own closed source BES was the reason why it ultimately failed.

Add to that the promis of security which was regularly broken, and you have a recepie for doom.

0
0

Axel Springer boss defends Facebook in fake news controversy

Christian Berger
Silver badge

One should note that Axel Springer...

...publishes quite some fake newspapers on dead wood. The most famous one is "BILD".

4
0

Internet of Things alliance LoRa: Licence to WAN? Yes please

Christian Berger
Silver badge

If you want to read an actual article about LoRa...

... I can recommend you issue 13 of PoC||GTFO

Why do most articles about "IoT" have to be so devoid of content?

1
0

Chap creates Slack client for Commodore 64

Christian Berger
Silver badge

Re: Fake Story

Well we need to be fair here. If you look at the Wikipedia page for "Slack" you'll notice that they probably needed more than 10 minutes to find out how to turn it on.

0
0
Christian Berger
Silver badge

Actually...

Reading the wikipeadia page on "slack" it seems like this would be something that should actually run completely on a C-64 with harddisk.

0
0

GET pwned: Web CCTV cams can be hijacked by single HTTP request

Christian Berger
Silver badge

Re: whistle blowers

I guess the developers just don't understand what kinds of errors they made. After all if they did, they probably would have avoided them.

2
0

Huawei Mate 9: The Note you've been waiting for?

Christian Berger
Silver badge

Re: Memory? removable battery?

This is not a technical review, it's a fashion review. It doesn't care about technical things like batteries or the stylus, it cases about things like how it looks.

Since most mobile phones are virtually identical from a technical standpoint, that's all there is to compare.

0
0

'Mirai bots' cyber-blitz 1m German broadband routers – and your ISP could be next

Christian Berger
Silver badge

The big problem is...

that Deutsche Telekom now poses as a victim, even though it's their fault.

Like many security problems their problem comes from risky behaviour, in this case a cheap, badly implemented router they didn't even bother to test properly.

A simple ACL on the box, which would prevent it from talking to anybody else than Deutsche Telekom, would have completely eliminated this problem at virtually no cost. After all they already get their custom firmware and custom cases from the vendors.

1
1
Christian Berger
Silver badge

It's complicated

Many companies resell their DSL and add their own router which they'd like to manage from outside the Telekom network. So you may have an IP telephony company renting you a CPE which turnes the DSL they buy from Deutsche Telekom to 4 ISDN T0 lines. That equipment needs to be remotely managed from outside the Telekom network.

Obviously the smart thing would be for vendors and deployers to restrict the IP-Ranges the connection requests are accepted from. Essentially a little ACL in the router would do... unfortunately despite that being a really powerful and easy to implement feature, hardware vendors tend to not use it.

BTW, Deutsche Telekom could have just used a rather decently secure alternative from a German vendor which wouldn't have been much more expensive. They chose the cheaper route and they chose to not test it properly.

3
0

Passengers ride free on SF Muni subway after ransomware infects network, demands $73k

Christian Berger
Silver badge

Well this was completely avoidable

I mean it's just extremely risky to put a system that can easily run code from any e-mail and doesn't even show "file extensions" by default into the hands of untrained workers.

If they would have just been a bit more cautious and, for example, provided their users with simpler systems where they cannot easily make such fatal errors. If everything fails, give them terminals for the business end of things.

3
4

2.1Gbps speeds over LTE? That's not a typo, EE's already done it

Christian Berger
Silver badge

"Exactly how far they can push it before they have to replace it with fibre is anyone's guess."

Actually not, Information theory provides us with ways to precisely determine the maximum rate of information over a channel given the SNR and the bandwidth. Depending on what values you assume (how much the old 1980s cables have rotten away) you get somewhere in the double digit Gigabit range, a tiny fraction of what you can get today via fiberoptic cables.

1
0
Christian Berger
Silver badge

"contention also applies for home wired (XDSL/DOCSIS/FIBRE) connections too."

Yes, but there you can easily avoid it by propper network planning. With wireless networks (and DOCSIS) you have severe physical limitations.

1
0

Demo may have frozen, but narrowband IoT stew is still piping hot

Christian Berger
Silver badge

It also involves idiotic design decisions

I mean NB-IOT would be ideally suited for e-mail as the communications standard between the provider and the end user. Since we are often talking about _really_ low bitrates (<1000bps), transmitting a datagram takes quite some time anyhow.

E-Mail is fast, typically an e-mail will arive withing the second. However it's also resillient against errors. If your mailserver is down for a couple of hours you will not miss a single e-mail.

0
0

A closer look at HPE's 'The Machine'

Christian Berger
Silver badge

Yes, but...

the IBM360 is still rather popular, and I believe this project can be easily compared to the IBM360, even to the point that if it fails, HPE might be no more.

0
0
Christian Berger
Silver badge

Actually a quantum leap will not be enough

A quantum leap is the smallest change a system can do. A quantum leap would be to take a conventional server... and remove a screw.

What's needed here is a revolution. The kind of revolution that used to be common in the 1970s and 1980s, where the "next" machine commonly was 2-10 times faser than the previous one.

2
0

Poison .JPG spreading ransomware through Facebook Messenger

Christian Berger
Silver badge

Facebook spreading ransomware...

...a company that owns its money by taking social relations for hostage spreads software made by people who take files for hostage.

7
0

Emulating x86: Microsoft builds granny flat into Windows 10

Christian Berger
Silver badge

Re: Erm DosBox...

Well actually, back when that Windows software was written 640x480 was an OK resolution with 1024x768 being about the maximum you can get.

If Microsoft was to either find a way to rearrange GUIs so they fit on those tiny screens, or bring out a mobile device with keyboard and pen, those software packages would be useful again.

Also there's a lot of software packages around for Win32 which are still maintained. They could still adapt the GUI without changing the rest of the system. This would give those applications a bridge.

Furthermore there's also quite some Win32 stuff, like VPN clients, which do not really need a GUI.

0
0
Christian Berger
Silver badge

Actually, now they are trying the shit that stuck

I mean if you look at Microsoft, the only thing that's consistently worked for the last 20 years was the win32-API on x86. If you wrote a program only using that in 1996, it's very likely it'll still work perfectly fine today. If you were smart, it won't even need any kind of installation or framework.

Now Microsoft is finally trying to do what they can do best, running win32 code.

To succeed you need to find something you can do well. For the iPhone this was shiny design, for Android this was the (broken) promise of having an open system. For Microsoft this always was running legacy code from the previous decades.

And it's always been that way, even if you look at the famous Windows 386 commercial, you'll notice that they are mostly running DOS software in their shiny new Windows 386.

https://www.youtube.com/watch?v=noEHHB6rnMI

Even well after the year 2000, people often ran DOS software for some applications.

0
0
Christian Berger
Silver badge

Re: Legacy %

"How many people need to run "legacy" apps? Most people use a browser, office, skype..... and not much more."

At home, maybe, but in companies legacy code is essentially. For example we use WS_FTP95 at my current company as the only allowed FTP-client. At a company I was before (from 2008) we were using Protel98, a electronic CAD package from 1998 with no plans to ever upgrade.

There's plenty of software run in company that will never be updated because it runs and because Win32 used to be more or less stable. In fact there are even many software packages like Praxident which where maintained over 2 decades, but assimilated all those old technologies which seemed hip at the time. Those packages use everything from OCX components over OLE Automation and direct access to printers, up to .net.

The Business market is still important for Microsoft. Office is one of their most profitable product, and companies are likely to purchase profitable service contracts.

The consumer market is long lost to Android anyhow.

3
0
Christian Berger
Silver badge

Finally!

Finally a reason to run Windows for ARM over Android. Now they only need to find a way to automatically adapt desktops UIs to make them usable on small touchscreen devices. Alternatively they could introduce a phone with stylus and keyboard.

The point is that they cannot out-iPhone the iPhone. If they want to succeed, they need to build on something only they can provide... in the case of Microsoft that's running legacy Win32 and Win16 code.

4
1

Irish eyes are crying: Tens of thousands of broadband modems wide open to hijacking

Christian Berger
Silver badge

Where did ZyXEL get their reputation for providing usable hardware from?

That must be from back when they made phone line modems. We once had a couple ZyXELs in our lab. One couldn't work with PPPoE usernames containing a #. With another firmware it would randomly forget settings. Another ZyXEL was unable to adapt to one simple quirk in the SIP of a certain provider.

0
0
Christian Berger
Silver badge

Provisioning and maintainance mostly

For example when a customer complains, the call-center agent can see how bad the line is, etc.

1
0

Surprise! Another insecure web-connected CCTV cam needs fixing

Christian Berger
Silver badge

We _are_ talking about Siemens

...the company, that even in this century had software that stored settings in an SQL database... accessed by hardcoded credentials.

2
0

Forums