nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Christian Berger

4611 posts • joined 9 Mar 2007

NUUO, do not want! CCTV webcams can be hacked to spy on you

Christian Berger
Silver badge

Well, yes, but...

imagine the manufacturer closes the first bug. If you used the second bug to get a normal account, you can still use that account.

0
0

Watt the heck is this? A 32-core 3.3GHz Arm server CPU shipping? Yes, says Ampere

Christian Berger
Silver badge

Re: Drivers?

"It's nothing to do with drivers, an ARM server will have drivers for the hardware fitted in it, and it's rare that a server will have anything else installed into it that would require drivers."

That means you'll be limited to the kernel versions the manufacturer supports, which means that you'll have you typical "Smartphone" situation where you need manufacturer support to get updates.

3
1
Christian Berger
Silver badge

"The bigger problem that has held ARM back in data centre is about drivers"

Yes and that's actually the main advantage of "x86" these days. With "x86" you have the "IBM-PC" a well defined hardware platform which allows you to boot your OS and ennumerate the hardware and talk to screen and keyboard in a rudimentary way without any special drivers. For many applications you can "port" an image designed for a server from one vendor to another one just by swapping the disk.

13
6

Microsoft pulls plug on IPv6-only Wi-Fi network over borked VPN fears

Christian Berger
Silver badge

Re: Welcome to the real world, MS

Well NAT64/DNS64 is just as broken as IPv4 NAT, but people have not yet adapted to it.

2
2
Christian Berger
Silver badge

Re: Why do we need IPv6

"IPv4 at least makes it hard for them to call their maker and very hard for their maker to cold call them. I think that's good, not bad."

Yes, but that's largely irrelevant as they'll simply connect to their makers or try their best to circumvent NAT. After all virtually all of those IP-Cameras joining botnets were behind NAT.

BTW consumer routers with IPv6 support will still block unconfigured connections coming from the outside.

7
2
Christian Berger
Silver badge

One should note that we had bigger transitions

I mean IPv4 and IPv6 are different networks, but they share the same infrastructure.

On the other hand, we have successfully transitioned from ISDN to IPv4. There used to be a time when sending a file meant to dial up a Fritz!Data or Eurofile server and transfer the file that way.

And yes, some people still use ISDN data calls, and of course phone calls, but that's such a tiny fraction that we went from tunneling IPv4 over ISDN to tunneling ISDN over IPv4.

We are currently in a similar transition with IPv6. We used to tunnel IPv6 over IPv4, but more and more ISPs now tunnel IPv4 over IPv6, since they need to spend money on NAT for IPv4 anyhow.

2
5
Christian Berger
Silver badge

Does that mean they'll bring out an IPv6 stack for Windows?

Or do they have a NetBIOS share with Trumped Winsock for IPv6?

4
3

Linux kernel's Torvalds: 'I am truly sorry' for my 'unprofessional' rants, I need a break to get help

Christian Berger
Silver badge

Re: Code reviews are for

An interresting question here would be if we should have "anonymous" code reviews. Under such a CoC people could complain about being treated unfairly if they code gets a really bad review.

4
0
Christian Berger
Silver badge

Re: Linux has become too big

Well yes, but Linux being big, in terms of LoC is one of the reason we need a good gatekeeper.

Every line of code is dangerous. Therefore we need to weigh the benefits against the problems. Inexperienced programmers often underestimate the problems and overestimate the benefits of new code.

It's in a way like in a surgery room, you don't want to many unqualified people in there.

16
0
Christian Berger
Silver badge

I'm worried

Although treating each other well is a great thing to do, CoCs have been abused over and over again both with and without intention.

We need strong gatekeepers to the Linux kernel, because bugs in it can habe terrible consequences. Considering we currently have an oversupply of people who want to program in "Open Source" projects with most of them not yet being good enough for kernel code, we already see a presure of bad code getting into the kernel.

18
0

The internet – not as great as we all thought it was going to be, eh?

Christian Berger
Silver badge

Well the problems mostly lie within the Web and IPv4

The Web has grown from a moderately good idea to something which had every feature abused in terrible ways and lots of new terrible features added.

And with now most users being behind NAT, that keeps them from having their own websites without having to invest in hosting.

3
5

How have the BBC, Rovio and more put serverless to work?

Christian Berger
Silver badge

Doesn't the BBC use Syncopatico?

I think I've heard about that on one of their documentaries.

0
0

You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

Christian Berger
Silver badge

Re: Physical Access

"Maybe not - but if they can reflash the firmware, they can put in a keylogger or whatever trojan nonsense they want."

Now "Secure" Boot proponents will tell you that "Secure" Boot saves you from that. However there is a simple workaround to that. Company notebooks typically are from a narrow range of devices easily obtained by any attacker:

Just get the same model, install some form of software mimicking a system booting up then asking for a password and displaying a "wrong password" screen while sending the password off to you.

Then you use some social engineering and secretly swap the laptops. Claim to be from another branch of the same company and leave your business card with your mobile phone number.

Once the victim enters the password, you have it and can unlock the computer. Eventually the victim will suspect there having been a mixup and call you to swap them back.

11
0

Lenovo Thinkpad X280: Choosing a light luggable isn't so easy

Christian Berger
Silver badge

It's sad to see that so far no model could fully improve on the X200

I mean, sure the X250 is said to have a larger battery capacity and you can apparently swap the external one while it's running on the internal one.

However there are some models like the X240 or this X280 trainwreck which just lack essential features people desperately need, like the middle trackpoint button or Ethernet. I wonder how those decisions got made.

1
0
Christian Berger
Silver badge

Re: W. T. F. ?

And no easy to replace battery. I mean the X250 has the nifty concept of 2 batteries, one internal one (which you need a screwdriver and a quiet place to replace) and one you can replace on the go.

5
0

Look at me! Phone industry contracts nasty case of 5g-itis

Christian Berger
Silver badge

Re: And what is 5G?

Well the objective can't be speed, as that can already be achieved with LTE. LTE also allows for low processing power nodes for applications like IoT, or for new modulation schemes to be added, or beam forming, or macro-diversity and the like. That's why it's called Long Term Evolution.

5G is so far, mostly about redefining every protocol to be tunneled though HTTP without actually having any new desirable features.

0
0

A boss pinching pennies may have cost his firm many, many pounds

Christian Berger
Silver badge

I fail to see what's so special about this

I mean we all have been in situations where spending a few Euros would have saved the company hundreds or thousands of Euros, but those few Euros were to expensive or the procurement processes were to slow.

3
1

It's been 5 years already, let's gawp at Microsoft and Nokia's bloodbath

Christian Berger
Silver badge

Not really a failure

He did exactly what he was put into Nokia for, lowering the company value so it would be easier to buy.

Maybe Microsoft wanted to have a company to build their Windows phones, maybe they were afraid of Meego, which received virtually no ad money or device support and yet outsold Windows phones by far.

13
2

Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

Christian Berger
Silver badge

Re: Of course it's not

And then of course, other attackers will get the keys from the attackers who were in the position to demand them from Supermicro.

0
0
Christian Berger
Silver badge

Of course it's not

I mean attackers will just demand those keys from Supermicro in order to get their malware running.

1
0

Official: Google Chrome 69 kills off the World Wide Web (in URLs)

Christian Berger
Silver badge

Re: AMP

"AMP page which is hosted by Google and has slow JavaScript disabled."

Yes and has lots of JavaScript added by Google which slows down page loads compared to pages without JavaScript.

12
0
Christian Berger
Silver badge

Re: The layers keep piling up

Some people don't understand that if you just hide complexity it doesn't get away, and that complexity always incurrs technical debt which you'll have to pay eventually.

13
1

Voyager 1 left the planet 41 years ago – and SpaceX hopes to land on Earth this Saturday

Christian Berger
Silver badge

Actually that name is still widely in use

Imagine a socker ball, then look at this Wikipedia page:

https://en.wikipedia.org/wiki/Adidas_Telstar

1
0

Canny Brits are nuking the phone bundle

Christian Berger
Silver badge

I never quite understood why one would get a bundle

I mean apparently carriers don't even replace it if it breaks, so in effect you are paying nearly normal price for a limited selection of nearly identical devices. If you are unlucky, you get locked devices which are completely unneccesary work.

I mean there used to be good offers, like the ones from the (now defuct) German carrier QUAM. They offered you a 24 month contract with 10 DM minimal fee. For that you got a "free" mobile, plus 240 DM in debit. So most people simply went there, got a contract, quit it immediately and therefore paid nothing, but walked away with an unlocked mobile phone.

24
0

Boffins are building an open-source secure enclave on RISC-V

Christian Berger
Silver badge

That's hard

Modern chip making processes are heavily guarded secrets. However what can be done in principle is simpler processes with larger structures.

The problem with this is that you cannot spend as many transistors as you do now. However in theory this could be compensated by better and simpler software. The things that _actually_ take lots of power could still be done in non-free components which are heavily isolated from the rest of the system.

6
0
Christian Berger
Silver badge

Re: What we would actually need...

Well actually there are some points to that.

First of all, yes you can modify a processor, however that's going to be _really_ hard as you are at an extremely low level. You are at a gate level and try to find out where, in unknown future revisions of the software, you have to do something in order to achieve your goal... while still conforming to the published specs which are very tight. The examples shown in academic paper assume known code which makes it far easier.

So if I was a government I'd go the route via some sort of "security enclave", essentially a separate system hidden from the rest of the system that can run software that patches future unknown code. That's far more realistic to pull off.

BTW you can actually buy processors which are so tightly speced and so simple in construction that you can make reasonably sure there were no malevolent actors involved. The 6502, the Z80 or the ATMega microcontrollers are prime examples for this. So if you can live with a small 8-Bit system, you can be reasonably sure it'll be safe.

7
0
Christian Berger
Silver badge

What we would actually need...

...would be standards for on chip peripherals, so you will have a standard way of accessing external storage like harddisks or flash. Essentially what we'd need is an "IBM-PC", a well defined set of hardware devices which allow simple porting of operating systems.

It's like on the PC, if you don't have a special graphics card driver, you can still use VGA or VESA as standards to get enough on the screen to be able to debug your OS. Or USB-interfaces, there are only very few ways to interface with USB controllers.

9
0
Christian Berger
Silver badge

Please no

Nobody has ever done anything positive with those things and usually they turn out to be _huge_ security problems as they often have elevated rights and the one who paid for the hardware has no control over what code it runs.

7
6

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Christian Berger
Silver badge

Re: That's kinda the minimalist solution

Well the problem is that currently JS-libraries are loaded from their domains which means that those servers will have detailed access logs.

If the libraries came with the browser by default, you could save those http-requests.

2
0
Christian Berger
Silver badge

That's kinda the minimalist solution

It's apparently a list of "known bad" servers it won't talk to.

A more sensible solution would be to drop the most abused features one by one in the roadmap after providing more sensible solutions. For example they could block loading Javascript from foreign domains after they provided their own cross vendor Javascript standard library.

1
0

Data apocalypse is coming unless you buy AI, declares AI biz

Christian Berger
Silver badge

If you have to much data...

... maybe you should collect _less_ data and tell your marketing department about it. Sure you'll have less data, but collecting less data gives you an edge over your competitors.

BTW, it's not like you can legally collect data in Europe without knowing what to do with them.

2
0

Hello 'WOS': Windows on Arm now has a price

Christian Berger
Silver badge

Intel sueing in 3... 2... 1...

I mean Intel and AMD have patents on their instruction set architecture.

Of course they could just emulate >15 year old CPUs which would fit the usecase of most coorporate Windows machines very well. After all few Windows-only Software actually uses anything that came out after 2000.

1
16

AI sucks at stopping online trolls spewing toxic comments

Christian Berger
Silver badge

Well we are talking about intellects comparable to...

mentaly disabled children. "AIs" are simple machine learning and therefore not very smart.

Now while people usually have reservations against tricking mentaly disabled children, they do not have such reservations against machines. Tricking machines is fair game. In fact it's common for people to hit machines or rub coins on them, scratching their surface just because they believe this will teach them a lesson.

Same goes for complex "Code of Conducts". They are essentially just an invitation to trick them by finding loopholes and be as bad as annoying as you can be while still staying within the limits of the CoC. It's much better to handle conflicts on a case by case basis when they occur.

12
0

No need to code your webpage yourself, says Microsoft – draw it and our AI will do the rest

Christian Berger
Silver badge

Well back in the 1990s...

... designers could just use some graphic piece of software to lay out their forms however they want them to be.

2
0
Christian Berger
Silver badge

To contrast that to 1968

https://www.youtube.com/watch?v=QQhVQ1UG6aM

I mean handwriting recognition is not _that_ new.

1
0

Intel Management Engine JTAG flaw proof-of-concept published

Christian Berger
Silver badge

Re: No, it's easy to exploit.

"If you want to do USB debugging you need to open up the case."

Well for stationary computers, you can easily have physical security, the problem is with laptops.

1
0
Christian Berger
Silver badge

Re: No, it's easy to exploit.

Well the point is you can put tamper evident seals on all the screws, putting a tamper evident seal on the USB-ports is much harder as you might have to use them.

1
1
Christian Berger
Silver badge

Re: No, it's easy to exploit.

"The reason it's no longer very serious is that a patch is available."

Wait, there is a patch available turning off debugging via USB?

3
0

Juniper prepping for a 400 Gbps Ethernet world

Christian Berger
Silver badge

"4K" kinda probably not going to need that much data

I mean, yes higher Ethernet speeds will most likely be needed, even if it just means that your datacenter can be packet more efficiently over time. If you can replace 4 servers with each having a 10G connection with one with a single 40G that will mean you can do much higher densities.

However "4K" is just another video resolution. Since the advent of block based video codecs the resulting bitrate does not grow linearly with the number of pixels you want to transmit. You can see that with typical TV transmissions. HDTV roughly requires 4 times as many pixels per second than SD, however while SD typically runs at 4-10 Mbps, HD rarely is done at more than 13 Mbps on TV. It's just that there is not that much more relevant information in the picture to be encoded. "4K" will likely continue the trend and I'm guessing it'll be transmitted at around 15-20 Mbps. Better codecs will help with that, too.

So in short there are probably many reasons for 400Gpbs, but 4K probably won't really be among them.

0
2

IBM slaps patent on coffee-delivering drones that can read your MIND

Christian Berger
Silver badge

I call prior art

I think it's been done in a recently published book named "Quality Land" by Marc-Uwe Kling.

1
0

Do I hear two million dollars? Apple-1 fossil goes on the block, cassettes included

Christian Berger
Silver badge

What's actually more interresting is how those early text modes worked

There are several books by Don Lancaster detailing about early computer video generation.

https://www.tinaja.com/ebksamp1.shtml

1
0

Keep yer plastic, says analyst: eSIMs aren't all they're cracked up to be

Christian Berger
Silver badge

"One that aims to share infrastructure rather than duplicating it."

The expensive infrastructure (buildings) are already shared. It's rare to find a site where you only have one. In fact usually they even use the same antennas.

3
1
Christian Berger
Silver badge

Re: "number portability"

In Germany htere's a maximum amount of money carriers can charge to port the number. I think it's 20 Euros. However the new carrier typically will give you a rebate of 20 Euros when you port an old number to it.

2
1
Christian Berger
Silver badge

That won't work

Of course your provider could put your IMSI (Subscriber ID) into their database, however to be able to exchange data, they also need the key of your SIM. Sharing that data with other companies is a huge security risk. Not only would people be able to make calls on your bills, they would also be able to decrypt all the data that is exchanged via the radio interface. There is only one carrier I know of, which will give you the key to their SIM and that's "Eventphone". They don't offer service to mere mortals.

Instead many countries have something called "number portability", a partially manual process in which you can move your number from one carrier to another one with little effort.

20
2

Microsoft Visual Studio C++ Runtime installers were built to fail

Christian Berger
Silver badge

Re: C++ - the ultimate outdated and insecure tool

Perhaps to use an image.

C is like a room with a white floor and dark holes in it. Yes the holes are dangerous as you can fall into them, but with a bit of experience you can see them and take propper measures.

C++ is like the same room, but with a layer of carpet applied. The holes are still there, and you can still fall in, but seing them is somewhat more difficult.

Other languages use different ways to solve the problem which could perhaps be seen as flooding the whole room with water (so you can swim) or filling the holes with concrete (so you can't fall in, but also not reach the walls of the holes). They all have their advantages and disadvantages.

1
1
Christian Berger
Silver badge

Re: C++ - the ultimate outdated and insecure tool

Well C++ has the problem of being so complex nobody can understand it with the problem of making it easy to shoot yourself into the foot.

C, on the other hand, actually is simple enough so you can understand what you are doing. So with C you have a chance of writing correct software if you are _really_ careful and have good experience in at least one assembler.

Considering the details of the PDF format, with it's many weird complexities, there aren't many high level languages that could deal with it in a sane way. After all PDF allows you to wrap all kinds of data in all kinds of formats. A text can be encoded as lossless JPEG2000 wrapped in Base64 wrapped in "gzip". It never was designed to be parsed with a proper parser.

1
1
Christian Berger
Silver badge

"hundreds of millions of customers"

I didn't even know there were even that many ad companies.

3
0

Ex-UK comms minister's constituents plagued by wonky broadband over ... wireless radio link?

Christian Berger
Silver badge

A microwave link to populated areas?

I mean I can understand using a microwave link to connect a lonely hut somewhere on a mountain, but seriously if you have more than 10 people you're likely to run into capacity problems with microwave links, let alone reliability issues.

14
1

You want how much?! Israel opts not to renew its Office 365 vows

Christian Berger
Silver badge

Well in Germany...

...there are lobbyists to be fought.

43
0

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

Christian Berger
Silver badge

There should be limits on the limitations of software licenses...

... particulary when said software can _only_ be used with hardware you have previously bought.

I mean it's not like some other company is going to build a microcode compatible CPU without Intel suing them into the ground.

6
0

The Register - Independent news and views for the tech community. Part of Situation Publishing