Posts by Christian Berger 4850 publicly visible posts • joined 9 Mar 2007
After all once you get your own code into Intel ME, you can control it. This feature by itself isn't actually a security problem as it requires hardware access (in which case you can do far worse). However it might allow you to actually kill ME from within, or even make it do sensible things.
... crypto mining is rather fair. Instead of leaking personal data into large databases and actively launching an attack against your system and perhaps even your brain along with your CPU power, crypto miners just want your CPU power.
To me, that's by far the lesser evil.
... how different programs can interact with eachother. Unixoid systems have raised the bar rather high in that respect, as they managed to do it (mostly) without extra code.
This here is yet another one of the experiments. Of course it will fail, because nobody wants to adapt their code for this to work. It's like interprogram "drag and drop", which may work for some software written in some part of the 1990s, but for the rest it's rather hit and miss.
Considering that Sudoku is fairly simple to solve by a computer.
Have a bitfield for every field. (9 bits)
1. Set all bits to 1
2. For the fields with clue n, set all bits to 0 except for the n-th
3. Reset the n-th bit of all fields related to clue n
4. If while doing 3 one field has only one bit set, see it as a clue and continue with 3
5. If there are no new clues, select one field with the lowest number of bits set.
6. Loop through all possible solutions for that field and recursively set it as a clue
7. If there are no fields with more than 1 set bit left, output solution
This simple 7 step sketch will give you all possible solutions to a given Sudoku. The Bitfield easily fits on the stack, making it possible to simply copy the whole field for the recursive step 6. (the step where you try out several possibilities) It may give you the same solution multiple times, but that's easy to fix with sort and uniq.
Of course doing it with neural networks is an interresting idea, but not really usefull if you want to have results.
Learning Office Software (no matter what vendor) is a rather pointless excercise, as the GUI and many of the concepts will change rather quickly, and office products typically aren't very good at what they are advertising. Word sucks for printed documents, Excel sucks for calculations, etc... There's usually far better alternatives outside the whole "Office" space.
Learning Dothraki or Navi, however, will get you fame and fortune and you meet interresting people who in turn will dedicate words in their conlangs to you.
The "security features" of Android only secure business models. (i.e. having no official way of getting a root shell)
It's _far_ to complex for the little functionality it provides, resulting in many security critial problems... which won't get fixed as all changes have to go through the chipset manfuacturers since Google didn't bother defining a hardware platform.
So I wouldn't rule out that this all comes out of the marketing budget, or in fact even the education budget as running a DNS resolver is so easy it's a rather ideal task for someone who wants to get started with running their own servers.
"Question: If you can unwind transactions with the agreement of just 51% of users, doesn't that suggest that 51% of users could get together to defraud the other 49%?"
That's the basic principle of any blockchain. That's also the promise behind it as it makes it more democratic than a centrally managed system... in theory. However since people can just buy more processing power, the power over the system will be more and more centralized as we see with Bitcoin.
And that's when you need security. You need to be able to decide whether data is formally correct or incorrect before you act on it.
That's why, quite some years ago, there's been a LANGSEC movement. Bitcoin apparently already followed the guidlines.
http://langsec.org/
or if you are in a hurry:
http://langsec.org/occupy/
I mean if I find out that a certain kind of LED lights is a safety hazard as it'll expose live wires when you pull on some part to hard, you damn well tell the public.
We are far to forgiving against manufacturers of software. They often purposefully built security issues into their software and instead of issuing re-calls we allow them to patch their software as often as they like.
"Basically, comes down to a government / state controlling everything you do - and the gradual erosion of personal choices and liberties as they're seen to be at a higher cost, etc."
Which is exactly what's happening in countries with a "free market". A "free market" usually leads to less competition as competitors will simply cooperate or merge to get around competition.
Starting in the 1960s, productivity has been high enough so people could work less for the same comfort. That's why German unions have been able to lower the work time per week to 38 or even 35 hours in union shops. (=Mostly car industry)
We are already seeing more and more "bullshit jobs" which consist of fullfilling artificial buerocracy. We are seing more and more calls from the economy to lower education standards to lower productivity. The best known one is the Bologna-Process.
The only reason we don't have universal basic income probably are neoconservative think-tanks like the Mont Perelin Society.
I mean eventually you need to create physical masks. Something you could scan again and reverse engineer fairly easily. That's something that has been done by amateurs (Visual 6502 project) in the past, and surely there are reverse engineering companies offering that as a service.
If you have auto updates you can disable, but enabled by default, I don't see much problem.
After all, unlike software companies, hardware companies do have some liability. If you have a long out of warranty device which burns down your house because of a manufacturing defect, the manufacturer/vendor/importer is responsible for it. Those "accidental" bad patches should be easy enough to be traced back to the manufacturer.
If a manufacturer ships a dangerously defective product, allowing them to send out an update is already a big step towards them. Normally that manufacturer/importer/dealer would be forced into a product recall.
We need to simplify devices again. Why does a webcam have an always running web based configuration interface? Wouldn't it be much simpler if that interface would only run within the first 10 minutes after powerup, and then configuration changes would be done by regularly downloading a configuration file via HTTPs?
Why do we have TR069? I mean I can understand the need for remotely managing devices... buy why TR069, wouldn't a simple protocol be able to do everything just as well?
BTW, this famously was done on punchcards in the past. Essentially when you collect your data in text files on a central hardened computer, you can easily write programs to answer all of your statistical questions. Even if we are talking about Terabytes of data, the programs will run faster than you can write them.
So statisticians can submit their programs to that air gapped computer and get back the results.
Just collect all the data in simple text files and process them overnight. No web interfaces or other complex shit required, just transfering some files, for example via encrypted e-mail or sftp.
This shouldn't be complicated.
... let's all argue about encryption done by proprietary systems to divert from the much more real thread of "metadata".
The contents of a phone call or a text message are relatively hard to process, and even simple measures like using code words can make the job much harder.
"Metadata" is much more valuable as it is easy to process by computers. You can easily find out the graphs of interaction and therefore find out social networks.
I mean let's think of where all the money goes to. It's the aerospace industry.
What if those projects are not about getting planes, but about giving money to the aerospace industry. Considering that only nation states will buy those planes, surely it would be much more efficient to create an international company developing and building them.
... crypto certifications require resources which could otherwise be used to have better crypto.
Or in a practical example: Imagine company X has a random number generator which passed certification. Now one of the engineers has a good idea to make it much more secure. They will be stopped from implementing it since any change would mean recertification which is expensive.
All of our current browsers are made by companies, some by for profit ones, some by non profit ones. All want to maximise depencendy on them. If you had a browser which just worked and was bug free, you'd never upgrade. Eventually you end up like GnuPG which is finished, yet there is a small company behind it wanting to earn money.
So every player in the field has an interrest in there being more and more standards. Every new standard means that users will have to update. Every new standard raises the entrance level for new competitors. So every new standard is good for the already existing browser companies.
Relocating it once per boot is enough. You essentially hide a 1 Megabyte Kernel in 4Gibibytes of space... or 16 Exibytes if you're on a 64 Bit plattform. Guessing the right address gives you a 1:4096 or 1:17592186044416 chance of successfully hitting anything inside the kernel. (I may be off by a factor of 2)
And what happens if you guess wrong? Your kernel will have a page fault and cleanly terminate, resulting in a reboot and a new kernel layout.
BTW if you have guessed one address of the kernel directly, you still haven't won very much, you still need to guess what part of the kernel you've just found, and where the parts you want are.
Something like "VNC" or "RDP" which tries to separate the application logic from the GUI, with the GUI being controlled from a server you connect to. No more asynchronous mess trying to guess what session separate requests belong to, but a session defined in a simple and consistent way. While you are at it, you might as well fix client side certificate and use that for authentication. Transfer access to new devices via simple tokens, i.e. by using QR codes holding an URI.
HTML/CSS/JS never was meant for applications. It was always meant for quasi-static pages.
We don't need locked down bootloaders as an attacker won't worry about staying persistent on the device. However users may want their own, more secure firmware on the device.
The problem we're currently facing are idiocity (using the userspace from your BSP) as well as incredibly complex protocols (TR-069).
... that in many companies even technical roles are forced into using Outlook and Office products as well as Acrobat Reader.
At the company I'm currently working at, we had one of those encryption malware, which was just a matter of time as we have no actual security. The IT department was congratulated!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
