Posts by Christian Berger 4851 publicly visible posts • joined 9 Mar 2007
Yeah, particularly in a RAID situation where you'll end up with several independent blocks with connected cleartext. Essentially you could, for example, have the same cleartext encrypted with 2 ciphertexts in a very predictable manner. This is one of the things that could eventually become exploitable.
I mean, yes, you can shift the time of servers around, in theory, if you put lots of effort into it and if the server operator doesn't have its own local NTP infrastructure, but in reality that's just a lot of hassle for little profit.
Clients typically don't care about NTP at all and only implement it's braindead cousin SNTP which gives you a very rough approximation of the actual time and date.
GPS sounds like a good idea, until you are inside, however for mobile devices, which have GPS anyhow, this is a sensible way to get a rather decent precision of time.
In some places, like Europe you have the additional possibility of getting your time via longwave transmitters. The DCF77 signal, carries the time in a way you can get your error well down below a millisecond. Other simmilar transmitters will still get you the time to a fraction of a second.
... or several truly portable laptops from GDP, or soon the Pyra... it's not really a good deal.
I mean the only thing it has going for it is it's keyboard, and that's severely lacking important keys like the escape key. You are forced to use Blackberry's branded version of Android, which means that once they stop supporting it, you'll be left with a highly complex system cut off from all the upstream bug fixes and since there is no root, you cannot even use iptables to make sure the device only talks to _your_ servers.
I mean Maemo was great, you could just get root by setting a password. You could install most debian packages simply via apt-get. The only problems I've seen so far was the limited hardware that was available and that it didn't support UTF-8.
BTW German Gemini keyboards still don't seem to work on Android, even with the most recent firmware. You can select them in that wizzard, but they will always use the english layout.
And checking CAs won't bring you much more security. In fact one could argue that since you already looked up the DNS record you already have a central system telling you you are talking to the right server.
Trusting in CAs either gives you an "E-Mail tax" where you give money to a company for a certificate, or it creates a centralized single point of failure by using "Let's Encrypt".
In any case, lifting the task of an attacker from simple sniffing to an active attack is already rather good. Realistically the next step would be to shake out all the missfeatures and bug out of TLS since that has, in recent years, been proven to be a far more problematic problem. (see Heartbleed)
... that as a German, my government probably would protect me from the Russians, but it surely wouldn't protect me from the US. So if I only had to choose between those two options, I'd rather have the Russians have my data.
Though it's likely that the secret services have a good working relationship with eachother, so my data will end up in everybodies files anyhow.
a) Code Signing is not a security feature as it tells you nothing about the nature of the code, wether it's malevolent or benevolent or it has security critical bugs.
b) Outsourcing cryptography is a bad idea, particularly when it's outsourcing trust. Just because some entity unknown to you believes that X is trustworthy doesn't mean that you should trust X.
Progress is reducing the amount of work that has to go into achieving certain goals. I know this sounds completely absurd to many people sitting in their offices playing Office, but that kind of progress enabled us to not have to hunt or gather our own food. It enabled us to have culture, to think about things other than our immediate needs. We can now afford to treat ill people instead of letting them die. We have things like electricity and computers. All thanks to increasing efficiency.
So even if startups were "successfull" they wouldn't create new jobs. "More Work" shouldn't be our goal, instead we should look at ways to make everyone feel needed while dealing with a potentially ever decreasing total amount of work.
I was surprised by our IT department getting me a new PC which only had 4 Gigabytes of RAM. Apparently you can still get that.
One should note that, apart from really bad GUI designers, few people actually need more than a Gigabyte. Most ERP systems will have their complete database fitting in 4 Gigabytes of RAM for small to medium sized companies.
Back in my age, there were mandatory programming lessons at school, and things like data protection were explained on TV even in "Edutainment"-Form.
Of course the "knowing Excel is a valuable ability"-Generation has no idea how computers work and why we should not engage in some forms of their abuse.
At least in Germany in the 1980s there was a strong opposition to data abuse. For example there's a TV report on the "car of the future" which details an early nav-aid. It used a central computer and tracked the car via induction loops. It stated that using that data to check for speeders was obviously an abuse of it.
As you have no headphone socket, it makes little sense to have audio processing inside, same goes for speakers and microphones.
Then it's obviously a problem if the user stores data on the device as that can more or less easily be copied during police searches. Persistent memory is also the main reason why jailbreaking works, so ditch any kind of persistent memory.
Then obviously Apple has to share its profits with mobile carriers. Those want to have some share of the money. Removing the wireless interfaces would get around that. No LTE, no need for a SIM.
CPUs are no longer of any relevance in the mobile world. Nobody buys product X because it's CPU is faster than Y. Since you have no interfaces and no storage, there's nothing for your CPU to do anyhow, so get rid of it.
OLED screens are _really_ expensive. However a simple sheet of glass can look just as nice, particularly if you print something preety on its back. This also removes one huge burden for your power budget and might get you to the next point.
Batteries are expensive and require some way to charge and/or replace them. Also they can catch fire. If you also remove the cameras you might be able to reduce your power so much that you can get away without any battery.
So yes, you can easily produce such a device, and I'm sure Apple could even sell it. It could even be made incredibly thin so reviewers would love it.
Like resting on the portable Exchange client business without broadening the use of your devices to be generic "portable terminals". If they had done this, and had opened their protocolls, they could have achieved some vendor lock-in, as software makers would have implemented that protocols into their solutions. Ideally that would have been _much_ simpler than writing a web app or some dedicated Android app.
Unfortunately they became an Android rebrander, giving you an extra insecure Android (no updates and no way to root it to use iptables). Rumours about login credentials being sent to RIM as well as having to use their proprietary backend server certainly didn't help to gain trust among security professionals.
I mean look at computer magazines like PoC||GTFO which are distributed as PDF files. Those are usually polyglots which use all the sensible features of PDF (so only a tiny fraction) and usually are polyglott. One issue even had the hash of itself printed on the title page.
One should note that Postscript as a document format has severe security problems, as this is actual code by design. Plus the firmware update feature of many printers works via sending them Postscript. So it would be possible to have a Postscript file having multiple exploits inside owning both your computer _and_ your printer.
I fail to see how attention grabbing as a service is in any way desirable. We now have letters and e-mail, we can now communicate with eachother in non-synchronous ways. One can ask a question while the other one can react at any time they choose. This is one of the greatest improvement in human communication.
Slack on the other hand is just a bad copy of IRC with disadvantages mimicking the telephone network.
In one company, I've had the opposite problem. You get time allotted so solve a certain task, you finish it to decent standards in half of that time, polish it and fix the bugs the tester found out (testers are a great thing to have on your development team), but then you still have a quarter of your time left you need to fill somehow.
That is really frustrating, particularly when there are problems in the software that cannot be reasonably fixed, as they were based on design decisions other people did. Eventually you'll break over the difference of what you think should be and what is.
"Magnets won't work on steppers, and decent fingerprint scanners will ignore masks - which would make these methods useless for any well designe... oh wait."
Well actually magnets work on most kinds of motors. You essentially emulate the fields which the coils generate by sliding a magnet down the side, then turning the magnet and doing it again.
Fingerprint scanners don't ignore masks, as with any biometric method you can always fool them. Usually even very easily. (see Touch-ID)
The standard things to try out would be:
Using a strong magnet to make the motor turn without being told to do so. That way you could open the lock.
Reading off the fingerprint from the reader, generating a fingerprint mask and using it on the device. If they were really stupid, they didn't check for "latent fingerprints" and all you have to do is breathe at it.
"I did not realize that the scope of the FPU had grown so much over the years!"
It actually hasn't. It's just that register reuse became popular.
Any task switcher needs to store all registers of an old task and restore all registers of the new task. If you add new registers, you'd need to change the code of your task switcher. In the 1990s when register reuse started, this obviously was a no-go. It would have meant that Microsoft would have to have provided patches to their existing software packages. For example that task switcher in dosshell would have had to be updated, as well as Windows.
Therefore they chose to re-use registers since that's way easier than convincing Microsoft to change their code.
Apparently the composer for "Watership Down" couldn't come up with enough music for the film, so the orchester padded and rearranged out what little they had and recorded that. The remaining time was sold to record the "War Of The Worlds" musical.
Well seriously, if someone is still trying to sell you an information screen based on Windows in 2018, you should be verry weary of them.
After all in the real world, there are software packages/services like Info Beamer, that allow you to do the same with a small Linux box (preferably a Raspberry PI) with features like live coding (save your file and the new code will be applied during the next frame) and recursive frames in subdirectories. If you use the commercial services all you need is to upload your content, to the "cloud", write the OS image onto an SD-card, pop that into a Raspberry Pi and register it to the service.
And if you don't want to use the service you can use Info Beamer independently of it. Just log into your computer via ssh and edit the files on there.
...for court documents having them as simple high resolution bitmaps with OCRed (or exported) plain text would already be very good without opening them up to the dangers of some Office product or even Acrobat Reader.
Instead of spending more and more money on highly complex solutions, we should think about making trivially simple archival formats. We now have the bandwidth and storage space that we can deal with documents being RLE compressed bitmaps along with an UTF-8 extract of the text on them. Yes, a page may be 200 kilobytes, but today the risk of having a bug in a complex parser exploited by far outweights a couple of gigabytes of storage space.
While your 1990s Unix workstation had simple interfaces making it simple to automatically process, for example e-mails into commands for a database, we now neither have people with basic computer skills, nor have simple interfaces for office automation.
So now instead dictating a text and handing it over to the printing department, people spend hours looking for cliparts and fonts to put into their printed documents.
I mean the ISDN Telephony network co-exists with the Internet. Those are highly different technologies, yet, at first we tunneled IPv4 over ISDN, now we connect the remaining ISDN Islands over IPv4.
Just like some people got rid of their fax machines, and many companies got rid of their BBSes after they got Internet access, people might build the cool new stuff on IPv6 while the legacy stuff continues to be on IPv4 until it's dropped.
"/me thinks: GPUs (sorta already doing that, for some things)"
I'm not sure, as far as I know they still share the same memory. So they are nice if you have independent processes. I'm not sure how efficient those are for pipelines of different processes chained together.
He apparently he wrote about circuit densities. That's a rather significant difference. BTW you can turn that into speed if you manage to use parallel processing. In order to do that in any meaningfull way you need to ditch the shared memory concept as it doesn't scale.
It could be that we see a revival of the Transputer concept, where we have small simple processors with their own RAM connected via a high speed bus.
... as it would drive people away from GitHub. Now GitHub isn't to bad as such, however having all your eggs in one basket is something that is very dangerous. The Free Software world should not depend on one company.
If it means that people will set up their own git servers, I'm all for it.
It's a way of ordering cables to make sure they can't both be damaged by the same event. Usually you have fibres going through different places. If that is impossible, you can still put a slab of concrete in between the fibres making the "yellow fibre finding aparatus" break before it can find the other fibre.
The early 1990s TV documentary series "The Machine that Changed the World" already covered that as a problem with Neural Networks by using the example of a tank detecting network trained with pictures of tanks during good weather, and pictures without tanks during bad weather. It trained on the weather instead of the tanks.
BTW that series only mentiones the Internet once and only in passing.
Apparently to this talk by Mitch Altman, China is really working on supporting their hackerspaces as one of their sources for innovation. That certainly is way smarter than the German way of just giving companies money to waste.
https://media.ccc.de/v/zeteco-38-hacking_in_china
It's not like in capitalism innovation brings any incentive other than the intrinsic ones. It's not like an innovative company will be successful. Just look at Apple which became successful after they stopped trying to be innovative.
The smartphone business simply is dead innovation wise, no change in how you do economics can change that. It's a commodity market, like sugar.
If you want to see innovation, you need to look into the public sector. Innovation is done at universities or even partially state run companies. Just look at the new electric car the German postal company brought out recently.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
