* Posts by Christian Berger

4850 publicly visible posts • joined 9 Mar 2007

Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

Christian Berger

I call Bullshit on this

ISPs probably already log their NAT tables, even cheap "hot spot" routers can do that easily. The enforcement companies probably just don't yet submit the ports to information requests.

Of course there are the people who want to see the Internet as a glorious Facebook delivery network. Those are happy with CGNAT. However that's not what the Internet is. The Internet is a peer to peer network with no participants playing a special role. It's just that home NAT and bad home operating systems have killed the peer to peer idea for most people. They see the Internet as something dangerous. Any "snakeoil in a box" solution will be evaluated based on how many alerts it presents to you. Don't run your own webserver to share your pictures, use Facebook instead, then you'll be all safe and warm behind your double or triple NAT which logs all your connections.

However with ubiquitous surveillance, maybe we should consider getting alternatives to the Internet, meanwhile IPv6 will at least save us from the marketers who evaluate every bit we send the Facebooks and Googles of the world, since we can easily build ways around them.

CableLabs, Cisco working on LTE-over-DOCSIS

Christian Berger

So essentially...

... they are trying to not only put their subscribers, but also base stations on the already crowded DOCSIS loops made out of crumbling 30-40 year old coaxial cables?

Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced

Christian Berger

Re: DDE is a Windows feature - not an Office one

Well DDE is one of several simmilar features (because Microsoft just loves reinventing features). OLE Automation is, as far as I know, distinct from it.

And of course there's probably still lots of software around which is vulnerable to that timer callback pointer problem, where an external message can include a callback pointer which will be called.

In short, there are no security boundaries between different programs running under the same user.

Christian Berger

The problem is deeper

1. Users on Windows are conditioned to always click "OK" when a popup appears. Popups appear even for completely pointless reasons. To the user they all look alike.

2. The default way to install software on Windows is to download some file from some obscure location and then essentially execute it.

3. Because of 2, Browsers often allow you to execute files you just downloaded right away, eliminate precious seconds in which the user could think about what they are doing.

4. This is not limited to Windows, but there are idiots who believe that sandboxes work, even though they have been proven otherwise countless times. Those people insist on turing complete languages even in places where they are not essential. The results are websites that require javascript, or companies requiring you to install an app to get to their services.

Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages

Christian Berger

I've recently seen a current version of Outlook...

... and I can now say with confidence, that Microsoft has given up on e-mail a long time ago. It still doesn't even have basic functionality like being able to display topic trees correctly.

Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

RDX removable disk has ransomware protection begging to be bypassed

Christian Berger

Re: Ahh, it's application level granularity...

"I believe that hole (that potentially allowed you to take over the elevated privileges of say antivirus programs!) was fixed some time ago."

No it's been found some time ago, since it's an application problem, it needs to be fixed in every application... which is not going to happen, particularly for all that legacy stuff companies depend on.

"True, but corporates would normally only allow trusted signed or trusted location macros to run. Even for consumers Office defaults to disabling active content by default and warning you before enabling them."

The OLE Automation problem does not rely on Macros being enabled. You can simply control those applications from another program. It's an intended feature. Even if there wasn't OLE Automation, you could still just start the program, make the window invisible, and send keypresses.

There simply are no security boundaries between Windows applications running under the same user by design.

Christian Berger

Ahh, it's application level granularity...

therefore it's software.

One obvious attack is attacking that software. Maybe if it crashes you get full access.

More likely attacks are on the software a user uses. Many windows programs have a bug handling timer events. Essentially they activate a timer which will generate an event after some time. That event can have some data attached to it. In the 1990s it was common to put a pointer to the function you want to be called there. Additionally you can set the text of gui elements from another program (one important Windows feature, it's often used by screenreaders), so you can get code into them. Adding both problems and you can get any software to do anything.

Ohh and of course if you allow Office full access, you can always use OLE Automation to open documents, encrypt them, and close them again, all with (moderately) easy to access and stable functions. You can even do it in the background. Also you can execute code in the context of Word or Excel.

'Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits'

Christian Berger

I'm sorry, but wasn't there a "cloud" anti virus involved...

... which uploads files to the manufacturers cloud for further checking?

It's 4PM on Friday, almost time to log off and, oh look, Disqus says it's been hacked

Christian Berger

Can't we just call it propperly?

It's not "database thieves". There probably were no people breaking into a data centre stealing hard disks.

It probably was them either having an SQL-Injection bug or them putting a backup somewhere where it could be found. In any case it's Disqus fault. If they insist on user logins (which is totally unnecessary for comments) they have to make sure they deal with their data responsibly. They apparently didn't, so it's their fault.

RAM, bam, awww ... man! Boffins defeat Rowhammer protections

Christian Berger

Re: We can't we just admit that sandboxes don't work?

"but contain instructions carefully crafted to trip up the parsers that are supposed to display them to you."

You can formally verify parsers for decent languages, and you can make your language simple enough that your parser will be so trivial, it won't have a bug.

Christian Berger

Re: We can't we just admit that sandboxes don't work?

Well that's actually rather easy:

1. Use distributions sharing the same values as you have.

2. Have you ever seen the web before Javascript and Flash? Everything worked much faster, despite of Browsers that choked on some GIFs and dialup connections.

Things don't magically work just because you want them to work. Sandboxes have been proven over and over again to not work.

Christian Berger

We can't we just admit that sandboxes don't work?

Can't we just ban Turing complete code from untrustworthy sources from our computers? Can't we just change the web so websites aren't Turing complete any more?

Mozilla extends, and ends, Firefox support for Windows XP and Vista

Christian Berger

That depends on the services enabled

I mean for Windows 2000 there used to be a tool which just disabled all network facing services. That tool made even a Windows 2000 machine fairly secure.

The big problem with Windows is that the services are even less transparent than systemd. You have no direct way to list all open sockets, and many services share the same TCP ports.

Add to that that many applications need now-obscure network features (like DCOM) and you have a recepie for desaster.

Oracle VP: 'We want the next decade to be Java first, Java always'

Christian Berger

Re: "Java [..] is the number-one programming language"

Well for some unknown reasons SIM-cards often contain a tiny JVM.

Russian telco backs up North Korea's sole Internet link

Christian Berger

There are some details on Internet in North Korea

They have an internal net which uses private IP-Adresses instead of DNS because, obviously, they are easier to remember than some latin transliteration.

There's Internet for foreign professors which are invited into the country, but it's unclear who else gets access to it.

There's actually a talk about it:

https://media.ccc.de/v/31c3_-_6253_-_en_-_saal_2_-_201412292115_-_computer_science_in_the_dprk_-_will_scott

BTW, has anybody heard the news that Li Jong-nui succeeds Kim Jong-un?

http://www.der-postillon.com/2017/10/li-jong-nui.html

Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers

Christian Berger

The insane thing about it is...

that most of the things people do on that cloud are things you could do at home with an extremely modest server from 20 years ago. E-Mail and storage aren't particularly hard things to do.

Commodore 64 makes a half-sized comeback

Christian Berger

I find such projects a bit sad

Essentially they are reducing home computers to games machines. Home computers were excellent toys to learn how computers worked. They had programming languages simple enough to fully learn in 2 weeks, they had hardware and "operating systems" easy enough so they could be fully understood by the determined hobbyist.

Compare that to the Raspberry Pi, which runs a highly complex operating system, on highly complex and only partially documented hardware. No single person can understand it and learn from it.

Maybe we should instead make a Commodore PET clone, with a small microcontroller running a 6052 emulator as the CPU and perhaps video output. That way we could have a machine again which would be understandable by everyone, yet powerful enough to do things.

Forget the 'simulated universe', say boffins, no simulator could hit the required scale

Christian Berger

As well as...

our universe being in the same order of magnitude of space than the universe the computer is in.

This is simply an undecidable problem.

Sigfox doesn't do IP and is therefore secure, says UK IoT network operator

Christian Berger

Well, but that's the other side

The satellite receiver is the receiver here. Obviously, as mentioned, you can spoof the remote and control the device, but not the remote. Again, this is a question of the threat model.

BTW since satellite television uses the same model of "send and forget", even if you have total control over the receiver, you still couldn't use that to attack the satellite or uplink station. (And yes, you can just use your own equipment to send up some noise on the uplink frequency of the satellite)

Christian Berger

It depends

It depends on what you mean by "secure". Yes I can sniff and spoof your IR remote, but I'll never get it to DDOS something without touching it.

Security depends on threat models. Railway systems, for example, don't need confidentiality. Some signals may even be spoofed without affecting safety. (For example a Stop signal)

Security is not a box-ticking exercise. It's about finding the threats and finding ways to counter them.

Christian Berger

Well there are different threat models in the IoT world

For example you have sensor networks which collect, essentially public information like temperatures or water levels of a river, or if a lamp is broken. It doesn't matter if someone listens into them, it does matter if someone can spoof those messages.

Now with such "fire and forget" networks, and there are many of them, you essentially have unidirectional data traffic. There is no need for an underlying bi-directional connection as there is no need to have acknowledgements. Having no input is a good way to keep malevolent input from compromising your device.

The security problem obviously lies in the actual network infrastructure. The sane solution would be for the base stations to e-mail the messages to the owner of the IoT device. If done well, they'd be encrypted and or signed via PGP/GPG and arrive at a server which checks the signature and processes them further...

...judging by the current experience level of many IoT people, they probably use some bloated cloud system with huge attack surfaces consisting of hundreds of web services, each done more incompetently than the previous one.

US yanks staff from Cuban embassy over sonic death ray fears

Christian Berger

Actually like a laser...

"So, somebody can point a narrow beam of sound at your room only, and even at you, not disturbing your neighbours much."

It does reflect on surfaces so you can detect it easily even if not in the main cone of radiation. Yes you can do mixing, it's common with all systems that have some non-linearity, again, you can check for that very easily.

It seems that if there was an actual case against the Cubans, there would be some actual evidence presented.

Christian Berger

It should be trivial to get some facts on that

Essentially get some measuring equipment, a decent digital audio recorder might do, and look for it. I mean this is sound, you can measure and record it.

'Dear diversity hire...' Amazon's weapons-grade fail in recruitment email to woman techie

Christian Berger

If they only were trying to solve actual problems...

...like asking for proper social and education system, so everybody can choose the way they want to live, without fear of slipping into poverty then we'd have some actual progress.

It's much easier to blame all of the worlds problems on people who share less than 90% of your views.

Dyson to build electric car that doesn't suck

Christian Berger

Well, electric cars are much simpler...

... and Dyson already has experience with many of the remaining hard parts. They know to design 3-dimensional parts, they know about fluid dynamics, they know about electric motors and batteries.

So my guess is that they'll just have a motor per wheel connected to some dampers. I mean there are student competitions for building cars, it can't be _that_ hard.

Also Dyson is to big to have to worry about regulatory issues.

Mobile stock trading apps riddled with security holes

Christian Berger

IT security is like partying...

.... yes it may cost a bit of money, but lack of money typically isn't the problem!

The problem here is that most mobile developers are people who are fairly new to programming. It's just a trendy way to start, just like web development used to be, or Windows GUI development with Delphi or VB in the 1990s.

Therefore you mostly get unexperienced people working there. People who have "seen the world of IT" rarely mess with mobile app development.

So what's left over are the people who have very little idea of what they are doing. Some of them will have an overinflated ego and charge lots of money, while most of them will work for standard wages.

Just like partying, IT security is about people and their mindsets, not money. You can have a great party with virtually no money, and you can spend a lot of money on a dull party.

Compsci grads get the fattest pay cheques six months after uni – report

Christian Berger

Actually

If there are tuition fees, and students therefore have significant debt, the employers will have to pay for it.

Money doesn't depends on value, it only does in economic fantasies. I mean look at sales-people of stock traders. Those get paid part of their money by sheer luck. People actually buy Apple products.

BTW, 6 works out of university doesn't mean they only have 6 month of working experience. I for one, have worked for several years before even starting to study.

Microsoft and Facebook's transatlantic cable completed

Christian Berger

Re: It's happened before

"Repairing broken cables involved dragging miles of cable to the surface, slicing it into two pieces and looking which side the light came from, then repeating this on the broken side until light was found again, then splicing in a new section."

You'd think they have some sort of management system or at least an OTDR to help them find that place faster. After all, every cut means additional attenuation which means more noise and therefore, in the long run, more problems with more advanced modulation schemes.

Christian Berger

Well bits are bits (or Shannon, depending on the context), while 8 bits are an octet, not to be confused with the octothorpe key on your telephone.

Ethereum-backed hackathon excavates more security holes

Christian Berger

That's why you should avoid turing complete languages when possible

The smart contracts in Bitcoin apparently don't have them, which makes them much safer.

Has science gone too far, part 97: Boffins craft code to find protesters on social networks, rate them on their violence

Christian Berger

I wonder if that distinguishes between...

property damage and violence. At least in according to German law, violence can only happen against people...

Or to quote the words of German satirical author "Mark-Uwe Kling", "Yes, there is a big difference, because the radical right is burning aliens, while the radical left is burning cars... which is WORSE, because it could have been MINE. I don't own any aliens."

FedEx: TNT NotPetya infection blew a $300m hole in our numbers

Christian Berger

Re: 300m? .. How may 'IT Pros' would that pay for?

"competence does not come cheap."

That's not fully true, incompetent people aren't necessarily cheaper than competent ones, because they suffer the Dunning Kruger effect and believe they are highly competent.

Christian Berger

Well lets estimate

Well at 100k of costs a year for a decently competent employee, that's 3000 man years.

The Cray 1 supercomputer took about 100 man years to develop, so did the 6502. So depending on how to do it, you can design the hardware for your own computer with 200 man years.

Software is a different question, but writing a UNIX-clone takes a few man years. I know that because I've started writing one based on the FreeRTOS operating system and I got rather far in about half a year. So if you build your software with state of the art security, i.e. making it mostly provable, it'll take something between a hundred and a thousand man hours.

So essentially they could have gone the route of developing their own systems for exactly their own purposes with state of the art security for less than this cost them. They then would have been sure that there were no fileservers running they don't want. They would have been sure that their e-mail client wouldn't execute word macros, etc.

UK Prime Minister calls on internet big beasts to 'auto-takedown' terror pages within 2 HOURS

Christian Berger

It makes sense when looking at it from the other side...

... I mean such "Anti-Terror" laws are great for eliminating public outcry about other topics. The public in the UK probably should be on the street demanding better social systems and similar things. With those laws you can simply lock away people you don't like.

This has been done in Germany already at the Anti-G20 protests in Hamburg. Just claim that protesters were violent, surround them so they cannot flee, then arrest them.

Manchester plod still running 1,500 Windows XP machines

Christian Berger

Re: Entirely unrelated to reduced funding by central government…

BTW here's a nice anti UNIX rant from 1985

https://youtu.be/0DdoGPav3fc?t=21m45s

It also highlights one point unixoid systems had back then, since software was distributed as so-called object code, which is the output of the compiler. Obviously that's not portable.

Christian Berger

Re: Entirely unrelated to reduced funding by central government…

"Not unless you consider it a good use of the "big back end system" to be taking an interrupt for every character typed and keeping a map of the screen contents so that it can redraw it when the noisy and unreliable async connections suffers a parity error."

a) There's ethernet now, as well as port concentrators.

b) The redrawing is done by ncurses, which is still magnitudes simpler than most web frameworks

Christian Berger

Re: Entirely unrelated to reduced funding by central government…

"I mean, it's how it should be, right? It's going to keep working forever, practically."

Well that's a general trend in IT and perhaps other areas. Why make something simple when you can make it more complicated? If course we'd be better off if we ran business systems of text-mode interfaces. However in the 1990s there was this bizarre trend towards Windows and "distributed computing", since suddenly PCs were cheaper than terminals, and Unixoid systems were more expensive than a computer running Windows 95. Also there was a time when Unixoid systems were seen as "lagging behind". Of course with Linux and *BSD this has changed a lot.

Chap tames Slack by piping it into Emacs

Christian Berger

Re: So... what's the big point for slack?

You know that gives me an idea. Wouldn't it be interresting to have am "IT Security and/or Engineering"-doll? Kinda something that could act as a role model toy for children. Perhaps even with a Free (as in speech) design you could print out.

Christian Berger

So... what's the big point for slack?

I mean you depend on a single company for your communications. They can easily listen into this, and if they go down, or they simply don't like you anymore, you're cut off.

Meanwhile on IRC you can simply run your own server.

So what is the big advantage evening out all the disadvantages?

UK PC prices have risen 30% in a year since the EU referendum

Christian Berger

Re: Markets are mostly psychology

"Protip: it's not the 1600's any more, the UK is not an empire. UK needs EU more than EU needs UK."

Yes, but the EU rarely decides on what's best for the people. After all, if those in power would have thought that way, there wouldn't have been special rule after special rule for the UK. It's hard to imagine that that mindset is suddenly gone.

And that agreement would for 2 things, the Commission could boast that they got 20 Billion from the UK and nobody would question how much the actual debt was, and the UK would get it's special treatment.

Christian Berger

Markets are mostly psychology

The UK has it's own currency not fixed to the Euro or the Dollar. So essentially now people invest less now in the UK as they believe that their investments will be worth less after the Brexit. After all if you open a factory in the UK it's much less usefull when you cannot sell to the EU. Therefore the demand for GBP is falling, therefore the price is, too... which means you have to pay more GBP for something with a fixed dollar price.

The whole thing wouldn't be much of a problem if the UK still had a big manufacturing sector, but that was apparently killed during the Thatcher Era.

BTW it doesn't matter how the Brexit will actually turn out what matters is what investors will believe the Brexit will turn out.

(OT: My prediction is that there will be an agreement, the UK will pay back 20% of its debt and will get special treatment in exchange for it)

Outlook.com looking more like an outage outbreak for Europe

Christian Berger

Re: O365

We live in a sad world where Exchange is seen as a competitive solution for E-Mail.

Christian Berger

This is e-mail, it shouldn't be complicated

All those protocols are text-based and, by todays standards, utterly trivial.

However we have a tendency for people to make trivial things more and more complex, up to the point when they fail. This is why we got webmail, and this is why some webmail providers try to complicate matters even more by putting their webmail servers into the "cloud".

If you have important e-mail, get to a reputable provider, pay your xx Euros a year and use IMAP4, not webmail. It'll just work, it'll be lightning fast and you'll have next to no outages.

What do you call an all-in-one PC that isn't? 'Upgradeable', says HP

Christian Berger

Or buy the HP-Z1...

... which is one of the few all-in-one PCs where people where actually trying.

https://de.ifixit.com/Teardown/HP+Z1+Teardown/8840

VMworld schwag heist CCTV didn't work and casino wouldn't share it

Christian Berger

What if they (deliberately) mislayed them?

I mean clearly Nutanix got way more publicity from that than what those badges cost.

It's kinda like that prototype iPhone one of the managerial staff "forgot" at a night club.

Fancy that! Craft which float over everything on a cushion of air

Christian Berger

I think I've first heard of hovercrafts as a child on Austrian TV

Austrian TV channel ORF1 had this wonderful Australian programme, and I think this is the exact part of it:

https://www.youtube.com/watch?v=BIjYIPoE4_E

Of course it was dubbed, but since Australia also uses PAL, it didn't have to go through an expensive format change.

Apple: Our stores are your 'town square' and a $1,000 iPhone is your 'future'

Christian Berger

"Yeah they fixed it."

Then you use a mask. For every sensor there's a way to fool it.

Another reason to hate Excel: its Macros can help pivot attacks

Christian Berger

Now add to that, that there was OPC

OLE for Process Control required OLE and DCOM to be enabled before the recent switch to OPE-UA (which uses some sort of XML over HTTP).

However since process control systems run for decades, it's very likely that many highly critical systems still use that.

The new, new Psion is getting near production. Here's what it looks like

Christian Berger

Yes, but then you'd have...

Android or iOS or any other of those cut down, but highly complex mobile telephone OSes, which achieve so little with so much effort.

Christian Berger

Simple, it's an actual Linux

I mean you can just run a normal Linux distribution on it. You no longer have to work with a cut-down Linux with pseudo-security features which protect the business models of app-developers while completely ignoring the user.