* Posts by Christian Berger

4090 posts • joined 9 Mar 2007

DJI bug bounty NDA is 'not signable', say irate infosec researchers

Christian Berger
Silver badge

The whole NDA thing is rather questionable anyhow

I mean if I find out that a certain kind of LED lights is a safety hazard as it'll expose live wires when you pull on some part to hard, you damn well tell the public.

We are far to forgiving against manufacturers of software. They often purposefully built security issues into their software and instead of issuing re-calls we allow them to patch their software as often as they like.

1
0

Universal basic income is a great idea, which is also why it won't happen

Christian Berger
Silver badge

"Basically, comes down to a government / state controlling everything you do - and the gradual erosion of personal choices and liberties as they're seen to be at a higher cost, etc."

Which is exactly what's happening in countries with a "free market". A "free market" usually leads to less competition as competitors will simply cooperate or merge to get around competition.

1
0
Christian Berger
Silver badge

The fascinating thing is that we are already there

Starting in the 1960s, productivity has been high enough so people could work less for the same comfort. That's why German unions have been able to lower the work time per week to 38 or even 35 hours in union shops. (=Mostly car industry)

We are already seeing more and more "bullshit jobs" which consist of fullfilling artificial buerocracy. We are seing more and more calls from the economy to lower education standards to lower productivity. The best known one is the Bologna-Process.

The only reason we don't have universal basic income probably are neoconservative think-tanks like the Mont Perelin Society.

6
0

Evil pixels: Researcher demos data-theft over screen-share protocols

Christian Berger
Silver badge

Re: I think I get the idea here.

No it doesn't. You can simply open up files in the default editor and read them off the screen again. That's not rocket science.

0
0
Christian Berger
Silver badge

Yes, you can leak data via the screen

Just like you can leak arbitrary data via the printer, keyboard LEDs, network interfaces, sound cards, power consumption or any other kind of output interface. It's what they are meant for. It's what the "output" part of "output interface" stands for.

2
0

Intel's super-secret Management Engine firmware now glimpsed, fingered via USB

Christian Berger
Silver badge

damn posted to early, it should be

..having a separate system designed to circumvent security boundaries which is enabled by default is certainly a stupid thing.

20
0
Christian Berger
Silver badge

Increasingly security is about not doing stupid things...

... and having a separate system designed to circumvent security boundaries which is enabled by default.

Seriously, if you make any system more complex, it'll be less secure.

38
0

Boffins tear into IEEE's tissue-thin anti-hacker chip blueprint crypto

Christian Berger
Silver badge

Re: Seriously that sounds like an utterly stupid idea

Well but still, there is some software turning logic into masks. It's not done by hand anymore. There surely is a way to do the reverse automatically.

0
0
Christian Berger
Silver badge

Seriously that sounds like an utterly stupid idea

I mean eventually you need to create physical masks. Something you could scan again and reverse engineer fairly easily. That's something that has been done by amateurs (Visual 6502 project) in the past, and surely there are reverse engineering companies offering that as a service.

3
0

CableLabs, Cisco working on LTE-over-DOCSIS

Christian Berger
Silver badge

Re: So essentially...

Kabel Deutschland... much of their equipment still is from the 1980s... as evident from captions when something goes wrong still saying "Deutsche Bundespost".

0
0
Christian Berger
Silver badge

So essentially...

... they are trying to not only put their subscribers, but also base stations on the already crowded DOCSIS loops made out of crumbling 30-40 year old coaxial cables?

2
0

Updating Things: IETF bods suggest standard

Christian Berger
Silver badge

Not really much of a problem

If you have auto updates you can disable, but enabled by default, I don't see much problem.

After all, unlike software companies, hardware companies do have some liability. If you have a long out of warranty device which burns down your house because of a manufacturing defect, the manufacturer/vendor/importer is responsible for it. Those "accidental" bad patches should be easy enough to be traced back to the manufacturer.

0
0
Christian Berger
Silver badge

We need to move past updates

If a manufacturer ships a dangerously defective product, allowing them to send out an update is already a big step towards them. Normally that manufacturer/importer/dealer would be forced into a product recall.

We need to simplify devices again. Why does a webcam have an always running web based configuration interface? Wouldn't it be much simpler if that interface would only run within the first 10 minutes after powerup, and then configuration changes would be done by regularly downloading a configuration file via HTTPs?

Why do we have TR069? I mean I can understand the need for remotely managing devices... buy why TR069, wouldn't a simple protocol be able to do everything just as well?

0
0

Donald, YOU'RE FIRED: Rogue Twitter worker quits, deletes President Trump's account

Christian Berger
Silver badge

Interresting question: Do people have a right to a twitter account?

I mean what if twitter just kicked him out? It's a commercial service after all that's not really regulated.

16
0

Wheels are literally falling off the MoD thanks to lack of cash

Christian Berger
Silver badge

Ahh I know that pattern

the same story is currently used by the German Bundeswehr to justify increasing its budget. In Germany they even hired a consultency company (I think PWC) for that.

0
0

America's 2020 Census systems are a $15bn cyber-security tire fire

Christian Berger
Silver badge

Re: Seriously, that's something you probably could do via batch processing

BTW, this famously was done on punchcards in the past. Essentially when you collect your data in text files on a central hardened computer, you can easily write programs to answer all of your statistical questions. Even if we are talking about Terabytes of data, the programs will run faster than you can write them.

So statisticians can submit their programs to that air gapped computer and get back the results.

2
0
Christian Berger
Silver badge

Seriously, that's something you probably could do via batch processing

Just collect all the data in simple text files and process them overnight. No web interfaces or other complex shit required, just transfering some files, for example via encrypted e-mail or sftp.

This shouldn't be complicated.

5
0

Fine, OK, no backdoors, says Deputy AG. Just keep PLAINTEXT copies of everyone's messages

Christian Berger
Silver badge

What a wonderfull diversion...

... let's all argue about encryption done by proprietary systems to divert from the much more real thread of "metadata".

The contents of a phone call or a text message are relatively hard to process, and even simple measures like using code words can make the job much harder.

"Metadata" is much more valuable as it is easy to process by computers. You can easily find out the graphs of interaction and therefore find out social networks.

2
0

F-35s grounded by spares shortage

Christian Berger
Silver badge

Maybe we are looking at it from the wrong angle?

I mean let's think of where all the money goes to. It's the aerospace industry.

What if those projects are not about getting planes, but about giving money to the aerospace industry. Considering that only nation states will buy those planes, surely it would be much more efficient to create an international company developing and building them.

1
0

Holy DUHK! Boffins name bug that could crack crypto wide open

Christian Berger
Silver badge

Well...

... crypto certifications require resources which could otherwise be used to have better crypto.

Or in a practical example: Imagine company X has a random number generator which passed certification. Now one of the engineers has a good idea to make it much more secure. They will be stopped from implementing it since any change would mean recertification which is expensive.

1
3

Gotta have standards? Security boffins not API about bloated browsers

Christian Berger
Silver badge

There is a political decision behind this

All of our current browsers are made by companies, some by for profit ones, some by non profit ones. All want to maximise depencendy on them. If you had a browser which just worked and was bug free, you'd never upgrade. Eventually you end up like GnuPG which is finished, yet there is a small company behind it wanting to earn money.

So every player in the field has an interrest in there being more and more standards. Every new standard means that users will have to update. Every new standard raises the entrance level for new competitors. So every new standard is good for the already existing browser companies.

2
0

NetBSD, OpenBSD improve kernel security, randomly

Christian Berger
Silver badge

It doesn't matter that it doesn't relocate in RAM while running

Relocating it once per boot is enough. You essentially hide a 1 Megabyte Kernel in 4Gibibytes of space... or 16 Exibytes if you're on a 64 Bit plattform. Guessing the right address gives you a 1:4096 or 1:17592186044416 chance of successfully hitting anything inside the kernel. (I may be off by a factor of 2)

And what happens if you guess wrong? Your kernel will have a page fault and cleanly terminate, resulting in a reboot and a new kernel layout.

BTW if you have guessed one address of the kernel directly, you still haven't won very much, you still need to guess what part of the kernel you've just found, and where the parts you want are.

2
0
Christian Berger
Silver badge

Well yes...

... but how often do you share in RAM kernel images with other systems?

Besides if the attacker guesses wrong, you'll have a reboot.

1
0

Google emits tools to make cross-platform HTML apps less tragic

Christian Berger
Silver badge

Why don't they make they make a separate Web-App plattform?

Something like "VNC" or "RDP" which tries to separate the application logic from the GUI, with the GUI being controlled from a server you connect to. No more asynchronous mess trying to guess what session separate requests belong to, but a session defined in a simple and consistent way. While you are at it, you might as well fix client side certificate and use that for authentication. Transfer access to new devices via simple tokens, i.e. by using QR codes holding an URI.

HTML/CSS/JS never was meant for applications. It was always meant for quasi-static pages.

4
0

Arm isn't saying IoT firmware sucks but it's writing a free secure BIOS for device makers

Christian Berger
Silver badge

None of this seems to have anything to do with the actual problems

We don't need locked down bootloaders as an attacker won't worry about staying persistent on the device. However users may want their own, more secure firmware on the device.

The problem we're currently facing are idiocity (using the userspace from your BSP) as well as incredibly complex protocols (TR-069).

1
0

New phishing campaign uses 30-year-old Microsoft mess as bait

Christian Berger
Silver badge

The sad thing is...

... that in many companies even technical roles are forced into using Outlook and Office products as well as Acrobat Reader.

At the company I'm currently working at, we had one of those encryption malware, which was just a matter of time as we have no actual security. The IT department was congratulated!

8
0

Dev writes Ethereum code for insecure SHA-1 crypto hash function

Christian Berger
Silver badge

Re: It's rather fitting

"Smart contracts run on a finite amount of gas, and are therefore not Turing complete."

Well yes, but by that notion, there are no turing machines as the universe has a limited lifetime. It's like saying malware doesn't exist on mobile devices as the battery runs out.

2
0
Christian Berger
Silver badge

It's rather fitting

Implementing an algorith that should be dead (SHA1) in an environment that should not exist (smart contracts that are turing complete)

5
1

Google faces $10k-a-day fines if it defies court order to hand over folks' private overseas email

Christian Berger
Silver badge

Cheap marketing

That's very little money for keeping up the idea that data is safe with Google, regardless of how reality looks like.

3
1

Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

Christian Berger
Silver badge

I call Bullshit on this

ISPs probably already log their NAT tables, even cheap "hot spot" routers can do that easily. The enforcement companies probably just don't yet submit the ports to information requests.

Of course there are the people who want to see the Internet as a glorious Facebook delivery network. Those are happy with CGNAT. However that's not what the Internet is. The Internet is a peer to peer network with no participants playing a special role. It's just that home NAT and bad home operating systems have killed the peer to peer idea for most people. They see the Internet as something dangerous. Any "snakeoil in a box" solution will be evaluated based on how many alerts it presents to you. Don't run your own webserver to share your pictures, use Facebook instead, then you'll be all safe and warm behind your double or triple NAT which logs all your connections.

However with ubiquitous surveillance, maybe we should consider getting alternatives to the Internet, meanwhile IPv6 will at least save us from the marketers who evaluate every bit we send the Facebooks and Googles of the world, since we can easily build ways around them.

0
0

Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced

Christian Berger
Silver badge

Re: DDE is a Windows feature - not an Office one

Well DDE is one of several simmilar features (because Microsoft just loves reinventing features). OLE Automation is, as far as I know, distinct from it.

And of course there's probably still lots of software around which is vulnerable to that timer callback pointer problem, where an external message can include a callback pointer which will be called.

In short, there are no security boundaries between different programs running under the same user.

1
0
Christian Berger
Silver badge

The problem is deeper

1. Users on Windows are conditioned to always click "OK" when a popup appears. Popups appear even for completely pointless reasons. To the user they all look alike.

2. The default way to install software on Windows is to download some file from some obscure location and then essentially execute it.

3. Because of 2, Browsers often allow you to execute files you just downloaded right away, eliminate precious seconds in which the user could think about what they are doing.

4. This is not limited to Windows, but there are idiots who believe that sandboxes work, even though they have been proven otherwise countless times. Those people insist on turing complete languages even in places where they are not essential. The results are websites that require javascript, or companies requiring you to install an app to get to their services.

3
1

Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages

Christian Berger
Silver badge

I've recently seen a current version of Outlook...

... and I can now say with confidence, that Microsoft has given up on e-mail a long time ago. It still doesn't even have basic functionality like being able to display topic trees correctly.

Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

8
5

RDX removable disk has ransomware protection begging to be bypassed

Christian Berger
Silver badge

Re: Ahh, it's application level granularity...

"I believe that hole (that potentially allowed you to take over the elevated privileges of say antivirus programs!) was fixed some time ago."

No it's been found some time ago, since it's an application problem, it needs to be fixed in every application... which is not going to happen, particularly for all that legacy stuff companies depend on.

"True, but corporates would normally only allow trusted signed or trusted location macros to run. Even for consumers Office defaults to disabling active content by default and warning you before enabling them."

The OLE Automation problem does not rely on Macros being enabled. You can simply control those applications from another program. It's an intended feature. Even if there wasn't OLE Automation, you could still just start the program, make the window invisible, and send keypresses.

There simply are no security boundaries between Windows applications running under the same user by design.

0
0
Christian Berger
Silver badge

Ahh, it's application level granularity...

therefore it's software.

One obvious attack is attacking that software. Maybe if it crashes you get full access.

More likely attacks are on the software a user uses. Many windows programs have a bug handling timer events. Essentially they activate a timer which will generate an event after some time. That event can have some data attached to it. In the 1990s it was common to put a pointer to the function you want to be called there. Additionally you can set the text of gui elements from another program (one important Windows feature, it's often used by screenreaders), so you can get code into them. Adding both problems and you can get any software to do anything.

Ohh and of course if you allow Office full access, you can always use OLE Automation to open documents, encrypt them, and close them again, all with (moderately) easy to access and stable functions. You can even do it in the background. Also you can execute code in the context of Word or Excel.

0
0

'Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits'

Christian Berger
Silver badge

I'm sorry, but wasn't there a "cloud" anti virus involved...

... which uploads files to the manufacturers cloud for further checking?

4
0

It's 4PM on Friday, almost time to log off and, oh look, Disqus says it's been hacked

Christian Berger
Silver badge

Can't we just call it propperly?

It's not "database thieves". There probably were no people breaking into a data centre stealing hard disks.

It probably was them either having an SQL-Injection bug or them putting a backup somewhere where it could be found. In any case it's Disqus fault. If they insist on user logins (which is totally unnecessary for comments) they have to make sure they deal with their data responsibly. They apparently didn't, so it's their fault.

3
2

RAM, bam, awww ... man! Boffins defeat Rowhammer protections

Christian Berger
Silver badge

Re: We can't we just admit that sandboxes don't work?

"but contain instructions carefully crafted to trip up the parsers that are supposed to display them to you."

You can formally verify parsers for decent languages, and you can make your language simple enough that your parser will be so trivial, it won't have a bug.

2
1
Christian Berger
Silver badge

Re: We can't we just admit that sandboxes don't work?

Well that's actually rather easy:

1. Use distributions sharing the same values as you have.

2. Have you ever seen the web before Javascript and Flash? Everything worked much faster, despite of Browsers that choked on some GIFs and dialup connections.

Things don't magically work just because you want them to work. Sandboxes have been proven over and over again to not work.

3
2
Christian Berger
Silver badge

We can't we just admit that sandboxes don't work?

Can't we just ban Turing complete code from untrustworthy sources from our computers? Can't we just change the web so websites aren't Turing complete any more?

2
4

Mozilla extends, and ends, Firefox support for Windows XP and Vista

Christian Berger
Silver badge

That depends on the services enabled

I mean for Windows 2000 there used to be a tool which just disabled all network facing services. That tool made even a Windows 2000 machine fairly secure.

The big problem with Windows is that the services are even less transparent than systemd. You have no direct way to list all open sockets, and many services share the same TCP ports.

Add to that that many applications need now-obscure network features (like DCOM) and you have a recepie for desaster.

4
2

Oracle VP: 'We want the next decade to be Java first, Java always'

Christian Berger
Silver badge

Re: "Java [..] is the number-one programming language"

Well for some unknown reasons SIM-cards often contain a tiny JVM.

0
0

Russian telco backs up North Korea's sole Internet link

Christian Berger
Silver badge

There are some details on Internet in North Korea

They have an internal net which uses private IP-Adresses instead of DNS because, obviously, they are easier to remember than some latin transliteration.

There's Internet for foreign professors which are invited into the country, but it's unclear who else gets access to it.

There's actually a talk about it:

https://media.ccc.de/v/31c3_-_6253_-_en_-_saal_2_-_201412292115_-_computer_science_in_the_dprk_-_will_scott

BTW, has anybody heard the news that Li Jong-nui succeeds Kim Jong-un?

http://www.der-postillon.com/2017/10/li-jong-nui.html

2
0

Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers

Christian Berger
Silver badge

The insane thing about it is...

that most of the things people do on that cloud are things you could do at home with an extremely modest server from 20 years ago. E-Mail and storage aren't particularly hard things to do.

43
14

Commodore 64 makes a half-sized comeback

Christian Berger
Silver badge

I find such projects a bit sad

Essentially they are reducing home computers to games machines. Home computers were excellent toys to learn how computers worked. They had programming languages simple enough to fully learn in 2 weeks, they had hardware and "operating systems" easy enough so they could be fully understood by the determined hobbyist.

Compare that to the Raspberry Pi, which runs a highly complex operating system, on highly complex and only partially documented hardware. No single person can understand it and learn from it.

Maybe we should instead make a Commodore PET clone, with a small microcontroller running a 6052 emulator as the CPU and perhaps video output. That way we could have a machine again which would be understandable by everyone, yet powerful enough to do things.

27
1

Forget the 'simulated universe', say boffins, no simulator could hit the required scale

Christian Berger
Silver badge

As well as...

our universe being in the same order of magnitude of space than the universe the computer is in.

This is simply an undecidable problem.

16
0

Sigfox doesn't do IP and is therefore secure, says UK IoT network operator

Christian Berger
Silver badge

Well, but that's the other side

The satellite receiver is the receiver here. Obviously, as mentioned, you can spoof the remote and control the device, but not the remote. Again, this is a question of the threat model.

BTW since satellite television uses the same model of "send and forget", even if you have total control over the receiver, you still couldn't use that to attack the satellite or uplink station. (And yes, you can just use your own equipment to send up some noise on the uplink frequency of the satellite)

0
0

US yanks staff from Cuban embassy over sonic death ray fears

Christian Berger
Silver badge

Actually like a laser...

"So, somebody can point a narrow beam of sound at your room only, and even at you, not disturbing your neighbours much."

It does reflect on surfaces so you can detect it easily even if not in the main cone of radiation. Yes you can do mixing, it's common with all systems that have some non-linearity, again, you can check for that very easily.

It seems that if there was an actual case against the Cubans, there would be some actual evidence presented.

0
0
Christian Berger
Silver badge

It should be trivial to get some facts on that

Essentially get some measuring equipment, a decent digital audio recorder might do, and look for it. I mean this is sound, you can measure and record it.

3
0

'Dear diversity hire...' Amazon's weapons-grade fail in recruitment email to woman techie

Christian Berger
Silver badge

If they only were trying to solve actual problems...

...like asking for proper social and education system, so everybody can choose the way they want to live, without fear of slipping into poverty then we'd have some actual progress.

It's much easier to blame all of the worlds problems on people who share less than 90% of your views.

6
6

Forums

Biting the hand that feeds IT © 1998–2017