* Posts by Christian Berger

4850 publicly visible posts • joined 9 Mar 2007

Leaked pics: Motorola to add 'unpatriotic' 5G to 4G phones with magnets

Christian Berger

Well in the GSM world radio progress isn't the most important thing

It's usually how the patents are distributed among the large implementers. That's why, instead of sane codecs like Speex or Opus, they use weird codecs like AMR.

So it makes sense to develop your own "patent-reduced" standards, as it'll likely even be complexity reduced because of that.

ISP popped router ports, saving customers the trouble of making themselves hackable

Christian Berger

TR-069

Well that's actually a widely exploited vector. If you hear about "Millions of Routers becoming part of a botnet", that's usually a flaw in the TR-069 implementation. It's just far to complex to be implemented correctly by BSP-reskinners.

Android daddy Andy Rubin's Essential axes handset, is 'actively shopping itself' – report

Christian Berger

Re: If it were anyone other than Google who bought Android, Inc...

"It's been the best OS around introducing features years before apple copy them,"

Maybe it's been the best _mobile_ OS around, however it's a far cry from most operating systems. I wonder why mobile OS vendors all had to do the same obvious mistakes.

Christian Berger

I don't know...

I mean most mobile phone ecosystems have the same problem. Paid applications seem to only make that worse. Just look at things like "Pay to Win" in games or paid applications still siphoning your data.

What would have had a chance if there was some minimalistic operating system for mobile devices. Something that just adds a "phone layer" on top of a "normal laptop". In a way a modern form of the Nokia Communicator. We would now have the technology.

The problem with the Essential Phone was, that it was just what reviewers wanted. It didn't have an easy to replace battery. It had some gimmicky "modular" thing, which only offered things that were normal in mobile phones. Reviewers love that. However if you actually have to spend money for it, practical use is somewhat more important.

Electron patches patch after security researcher bypassed said patch

Christian Berger

Re: What is Electron?

Well true, I think it also allows your text editor to execute code from text files without your intervention. Kinda like the Canon Cat, but less competently made.

Christian Berger

Re: It's simply a terrible idea

"But it's a low hanging fruit, you can reuse your cheap javascript developers"

Yes, but getting software written by people who have little idea what they are doing is actually a recepie for desaster. We have seen that in the 1990s. It was so bad that crashing computers were the norm in the PC and Mac world.

Christian Berger

Re: What is Electron?

No it's like all those jokes about EMACS combined and amplified by a factor of 100. Essentially Electron is not just an operating system like EMACS, it's much more complex than an operating system, yet has very little actual functionality.

Christian Berger

It's simply a terrible idea

to use a full browser, one of the most complex software projects around, as a GUI framework. Seriously Windows 3.1 had a powerfull GUI framework and that fit onto a single floppy disk.

Besides browsers were never made for interactive applications, that's why it's so hard to do that with them.

Can't pay Information Commissioner's fine? No problem! Just liquidate your firm

Christian Berger

So where is the news here?

Company messes up badly, company goes kaboom. That should be the norm. Unfortunately for many big companies that is not the case.

Big bimmer bummer: Bavaria's BMW buggies battered by bad bugs

Christian Berger

That's because people rarely look at such things

Here's for example a talk talking about the many problems of "secure" random number generators in QNX

https://media.ccc.de/v/34c3-8730-taking_a_scalpel_to_qnx

With embedded devices it's usually the closed source software the manufacturer puts on it. It's extremely rare to find a bug in, let's say, the TCP/IP stack... whereas even I was able to find a Ping of Death bug in Nucleus within a few minutes of trying some years ago.

Christian Berger

the key word here is "was"

Most of those systems start up rather decent, by people with a vision and knowing what they are doing. However that was in the 1980s and 1990s. Today people who are interested in operating system work don't work on proprietary ones any more as it's not really something that is very fulfilling.

I've seen that with "Nucleus", once a popular operating system for GSM basebands. You can see the quality gradient from the old core features which are moderately well designed (though a far cry from something like OpenRTOS/FreeRTOS) to things like the USB stack (which would crash immediately with the default settings) and the board support package, which actually had problems you could _see_ in the code without understanding C. Or the JSON generator which had a beginner's bug in it's integer output function.

Christian Berger

Well those companies typically work hard to keep decent programmers out

For example by having decisions like "we use QNX" dumped onto the programmers because some salesperson came along selling it with bogus arguments, like that it's not "Open Source". In reality that means that your board support package will be closed source and written by highly incompetent programmers.

Essentially those things will drive any decent programmer out of the company. What'll be left are those who just want the money and don't care about what they are doing. So obviously they don't care about the security of their code.

Microsoft gives users options for Office data slurpage – Basic or Full

Christian Berger

Re: GPDR Fines

You forget something, Microsoft is an US company, if they refuse to pay, they refuse to pay. Nobody is going to do the thing they should have done 20 years ago and ban their products if they don't pay.

Christian Berger

It's actually even worse

We now have App-Stores where softare manufacturers can charge money in arbitrary increments. Even the Apps you pay for sell your data or display advertisements.

Christian Berger

Re: Why not NONE?

"Basically, if MS in any way valued the security and confidentiality of the people who use their software, they would provide a NONE option,"

If they did so, the Windows ecosystem would look a _lot_ different. They would be running regular massive code audits. They would strive to make their systems simpler instead of re-inventing the wheel every few months. They would depreciate and remove VBA from their office products.

However why should they do so? The remaining users of their software are either forced to use it, or they obviously don't care about security and confidentiality.

Christian Berger

Remember when people claimed that if you pay for a service your data is protected?

Seriously what a naive idea. Any company will always opt for getting more money and/or data out of their user if they can.

Router admin? Bored? Let's play Battleships using BGP!

Christian Berger

What I wonder is...

since this apparently works without changing the protocol. Would it be possible to use those 16 bits to transmit some cryptographic hash for that route. Obviously you need more than 16 bits for that so you'd combine more messages to some sensible length.

Christian Berger

Well Dan Kaminski actually ran audio streams over DNS

way back when he was cool. The great advantage is that DNS is extremely well cached, so you could run a web radio station from a measly little ISDN line.

BTW back when ISDN was introduced in Germany, there was a manufacturer of ISDN equipment demonstrating chess over "User to User Signaling", an obscure feature of ISDN which allowed you to send free data while establishing a call.

Zuckerberg gets a night off: Much-hyped Euro grilling was all smoke, absolutely no heat

Christian Berger

To bad they didn't let Sonneborn have a go

For example he once asked Günter Öttinger some questions, and asked him to answer in English:

This is Öttinger:

https://www.youtube.com/watch?v=sZ2Pz4naZPs

Those are the questions, turn on subtitles, they work decently.

https://www.youtube.com/watch?v=jsbV3fGe4eU

IPv6 growth is slowing and no one knows why. Let's see if El Reg can address what's going on

Christian Berger

The biggest blow so far probably was Sixxs ending its service

They had simple no-fuss tunnel services which even worked over UDP, and provided you with /56 networks. Many decent home routers even supported it out of the box.

Christian Berger

Re: Not an issue if you already have an ipv4 address

""you can't really use it without a DNS; the addresses are impossible."

Yes, this is a rather serious downside to IPV6."

Well with IPv6 you can have "vanity addresses". For example "Fefes Blog", one of the largest German blogs has the IPv6 address 2001:4d88:3508::fefe:b106. Since the 2001:-prefix is almost universal, you end up with "4d88:3508" you actually need to remember. Those are 32 bits and therefore just as much information as an IPv4 address.

Astronaut took camera on spacewalk, but forgot SD memory card

Christian Berger

Well actually...

"Well, I suppose we're all thinking that an astronaut should be more than capable of understanding a 'no SD' message."

One has to consider that those people, particularly during a space walk, want do minimize risks and make sure mission control has an as good as possible idea of what's going on. So it's logical to tell them that the display says "no SD" instead of claiming that there is no SD-card in the device, it's simply more precise. After all this particular device might have an error that makes it display that message even if it's working just fine. So it makes sense to say that the display is showing an error and asking how to proceede, before deeming it non-critial and going on. The wording may have been a bit odd, but spacewalks are stressfull situations.

Zero arrests, 2 correct matches, no criminals: London cops' facial recog tech slammed

Christian Berger

Surveillance has different needs

If you just want to track people that's the far simple scenario. You can essentially track blobs of movement most of the time, and should you get a clear shot of their faces you can use that. It even doesn't matter if those systems are unreliable as you can use other data to work around that. For example behavioural patterns can be used.

Christian Berger

Face recognition only works

when your subject is cooperating. Even then it has failure rates far above anything useful.

Red Hat admin? Get off Twitter and patch this DHCP client bug

Christian Berger

From the people who brought you...

NetworkManager and Systemd

How many ways can a PDF mess up your PC? 47 in this Adobe update alone

Christian Berger

Well actually...

PDF is not _that_ bad, at least not if you use "archive grade" variants of it. You can cut down the featureset enough to be both safe and usable.

PS is an accident waiting to happen, as PS is actually turing complete code by design. So you'll likely be able to exploit things via it, even on completely correct implementations.

Christian Berger

Well...

You can, hypothetically, write good code in C++, the problem is that C++ is so incredibly complex, that most programmers only know a fraction of it very passingly. So typically they have little idea what their code does. Combine that with no memory safety and you get a recipe for disaster.

The few people actually knowing C++ don't write software (except for compilers), they tour the world teaching C++.

C has similar problems, but at least it's low level enough that you can understand what's happening and therefore know where to focus your attention on.

Actually today the ideal language for something like a PDF reader might actually be Delphi. There's now a full free cross-platform implementation around. It's got memory safety, integer bounds check, array bounds check, a platform independent GUI toolkit which looks native on every system.

Christian Berger

Many companies...

...force it upon their users.

Christian Berger

Re: Use-After-Free and Heap Overflow in 2018?

Keep in mind that much of Acrobat Reader probably still is from the 1990s with added bells and whistles. Nobody dares making a rewrite as there are probably old files which that would break.

Christian Berger

"I didn't know Adobe supplied anti-virus/malware etc..."

Even if they did, they'd have little way of knowing.

Have you updated your Electron app? We hope so. There was a bad code-injection bug in it

Christian Berger

Re: So once again ill considered default config settings.

The whole thing doesn't seem like they ever stopped 10 minutes to think it over. If they did, they wouldn't have made it.

It's a logic conclusion that stupid things are done by dumb people. If the people were smart, they wouldn't have done it.

Christian Berger

Actually the other way round

As Browsers now are commonly more complex than most OS kernel and GUI-frameworks combined. It's more like calling Chrome a text editor. Yes Electron does have some elements of a GUI framework, but no it's obviously not made to be used that way as most of it's code is about web browsing and the DOM is not actually suitable for applications.

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats

Christian Berger

It's not an PGP or S/MIME issue

It's an issue with brain dead mail clients interpreting HTML and loading external images, so stop trying to spin it as if it's an encryption issue. It's an HTML-mail issue, get rid of HTML and it's gone.

PGP and S/MIME decryptors can leak plaintext from emails, says infosec professor

Christian Berger

Re: Defensive programming

"by default, mail clients should have a built in firewall that prevents outgoing network requests"

Well there is no actual use for HTML-E-Mail. And even those pseudo uses work fine with minimalistic renders which ignore everything except for some tags and never talk to the networ nor execute scripts.

Christian Berger

Re: The Details have been published

I've seen multiple. For example "David" some obscure kitchen-sink package does it, and doesn't even have a way to disable it. (you can however browse the TV-schedule with it, true enterprise grade software)

I think even Outlook shows such images by default.

BTW there are Spam companies like Adobe which provide tracking services for e-mail abusing those features.

Christian Berger

The Details have been published

https://efail.de/

And it is a problem of HTML-Mail and broken clients which load external images.

Ubuntu sends crypto-mining apps out of its store and into a tomb

Christian Berger

The problem is the mindset behind it

Installing software shouldn't necessary be easy, as software can be dangerous. Therefore you should check where your software is coming from and use as little as possible. Every line of code is a risk you take.

That's why there is a security rule to separate data from code. Data should always be safe to use so you can get it freely. Code on the other hand is something that needs to be checked, something that is dangerous.

Unfortunately we now have new commercial platforms, which like most commercial platforms are unfit to deal with data by default. Therefore every trivial task needs an "app" which then often just displays a webpage in a browser. Webbrowsers lack basic functionality like being able to sort an HTML table. Therefore webdevelopers augment browsers in the worst possible ways, by writing client-based code to run in them.

Wanted that Windows 10 update but have an Intel SSD? Computer says no

Christian Berger

Re: It's a special thing about most closed platforms

"No sign that anybody is interested in fixing it:"

To be honest that does look a lot like a design problem of your laptop.

Christian Berger

It's a special thing about most closed platforms

"just don't understand why they have to tweak with the driver and software model that breaks stuff that has been working"

Essentially when you are writing software for the less traveled areas like device drivers, you will find some bugs in the API, either stuff not working as documented or stuff missing you can get via side effects.

On a modern Free Software project you'd just submit a bug report the bug would be fixed within hours to days and you can get an experimental patch rather quickly. This doesn't work in commercial environments. There you cannot simply send something to another company. There is no public mailing list you can subscribe to and submit your bug report.

So people make workarounds. If they are lucky, the workarounds will still work once the bug is fixed, if not the piece of software breaks.

Fixing a printer ended with a dozen fire engines in the car park

Christian Berger

Well the insurance company probably would pay for this...

... after all it's very bad to train people to not report anything unless they are sure it's smoke. Any delay on an actual fire would cost far more than that situation.

Heir to SMS finally excites carriers, by making Google grovel

Christian Berger

Re: So it's unanimous then, We all say "Piss Off !!!"

It's not simple, in fact there have been many broken implementations allowing you to crash a phone by SMS.

Christian Berger

SIP is probably the worst standard to base this on

Yes SIP currently is the de facto standard for phone calls, however it's a really complex protocol commonly implemented badly on all sides.

Fork it! Microsoft adds .NET Core 3.0 including Windows Desktop apps

Christian Berger

Meanwhile in the rest of the world...

you have something like Lazarus, where you can easily build Windows GUI apps... you can compile to native code on any major desktop platform. It'll even look native everywhere as it's using the native GUI components.

And unlike .net you get a statically linked executable.

Sir Clive Sinclair dragged into ZX Spectrum reboot battle

Christian Berger

Isn't it obvious...

... after all this is about a product that just looks simmilar to a home computer of the 1980s loved by millions who owned it or its number of clones. A product stripped of its essence and reduced to a simple gaming device.

So it acts out certain aspects about the original, without being even close to the original, in a way just like an actor.

Twitter: No big deal, but everyone needs to change their password

Christian Berger

Now if web developers and browser vendors would for once get to their senses...

... we'd move to HTTP authentication and TLS client certificates. Both don't need the cleartext password to be sent to the server for every authentication.

45-day drone flights? You are like a little baby. How about a full YEAR?

Christian Berger

Re: 45 days vs 365

Don't be silly, you can just eject the film in a small capsule with a parachute.

HP Ink to compensate punters for bricking third-party ink cartridges

Christian Berger

Re: Motherf***ers. I strongly doubt this is the only HP that has done this.

Well Brother has the problem of some of their printers using proprietary languages. Which essentially means that after a couple of years they will become harder and harder to use.

However most monochrome laser printers have near infinite toner capacity, particularly old ones. So if you are looking for a monochrome laser printer, devices like the HP-LaserJet 4 series are kinda your best bet.

UK Parliament roars: Oi! Zuck! Get in here for a grilling – or you'll get a Tower of London tour

Christian Berger

Seen rationally

Zuckerberg has no reason to appear before any parliament, or bow down to any kind of law. Even heavy fines won't be relevant as there won't be any way to actually enforce them.

We allowed Facebook to become to big to fail.

Graphene-wrangler Paragraf slurps a cool £2.9m

Christian Berger

Considering the potential...

... and the amount of money even totally useless Web 2.0 companies are getting. 2.9 Millions seems extremely modest.

NASA dusts off FORTRAN manual, revives 20-year-old data on Ganymede

Christian Berger

Re: Paper tape anyone?

"I wonder how many paper tape readers still exist?"

Papertape readers actually are simple enough to produce. Take a PCB, put on a row of phototransistors (either 6 or 9 depending on the number of bits per character), have a second, smaller PCB with holes and "upside down" SMT LEDs which has its edges filed down to be as smooth as possible. And place both PCBs on top of each other, with some small gap in between. You just pull though your paper tape and there you go. One phototransistor will give you the clock, the others will give you the data. Since papertypes have a dedicated row of perforation you have a clock, therefore you don't need a motor to maintain constant speed.