* Posts by Christian Berger

4850 publicly visible posts • joined 9 Mar 2007

The new, new Psion is getting near production. Here's what it looks like

Christian Berger

Re: other devices also now available?

Yes, though that manufacturer got a bit of a bad reputation for the previous model only supporting Windows 10. This one is anounced to support Linux.

Christian Berger

Re: No Google?

"Is it a phone, though?"

Seriously, if you want a mobile phone there are hundreds of sub $50 devices out there which will do just that.

Christian Berger

Re: Sony Vaio P

Well Sony Vaios always had the problem of having exotic hardware so you're stuck with the vendor approved version of Windows.

Christian Berger

Well

Chromebooks are rather locked down devices which require you to jailbreak them... resulting in what's essentially a bog standard laptop. The default software on Chromebooks is essentially a Google-client.

The great advantage of this is its form factor. It's essentially a laptop, but much smaller. And it's not as locked down as Android, so you can actually _do_ stuff with it.

Achtung! German election tabulation software 'insecure'

Christian Berger

Re: I love CCC

Decades actually. Here's a report of a hack on the German "Prestel" called "Bildschirmtext" or BTX.

https://www.youtube.com/watch?v=TOflxejp4Z4

Essentially they got the login of a bank, and set up a relay to call their donation page over and over again.

Christian Berger

Re: It's actually very incompetently made

They gave _lots_ of money to very incompetent people. This was of course made by a private company.

Christian Berger

It's actually very incompetently made

Including a Logo that's clearly Word-Art, and claims like having a "non-indexed database".

It uses HTTP to upload the data to a central server... where there's a PHP script taking the data. It uses password protection, but those credentials are test/test or gast/test, or test2/test2...

This is the homepage, BTW

https://www.wahlinfo.de/

Facebook claims a third more users in the US than people who exist

Christian Berger

Well of course it's mostly fake accounts

Just look here:

http://www.wolframalpha.com/input/?i=facebook+users+per+world+population

while they made great efforts to cut them down, there's still plenty of them.

Secure microkernel in a KVM switch offers spy-grade app virtualization

Christian Berger

BTW, verified Kernels mean only very specific things

A verified kernel might prevent your USB stack from overwriting other code, but it's not neccesarily going to prevent you from having parts of your USB stack overwrite other parts, and therefore eliminating the "data diode" on the USB ports.

Additionally this implementation encodes window positions in separate pixels which is both error prone (some graphics cards rescale/gamma-correct their framebuffers before sending it to the screen) and another interface and therefore attack vector.

In any case, it's what I suggested as a response to this talk here:

https://media.ccc.de/v/MRMCD2014_-_6037_-_de_-_tiefbaustelle_s21_-_201409071330_-_end-to-display_verschlusselung_zur_absicherung_von_industriespionage_-_sango

Christian Berger

Re: What I don't understand is why that needs an OS kernel?

"You also need to direct the input to appropriate machine, and how do you know which machine that is?"

Actually that's what I've tried to explain in my OP. You can either use the mouse position, or have some sort of focus system, where you have, for example, a row of buttons on the KVM where you can select one of the systems to have all input. If you set your background to "transparent", you can even draw a border around it, or grey out all the other systems.

"WEY-TEC USB Deskswitch II does not work with Topre Realforce keyboards"

Most KVMs today on the market have horribly bad firmware, cobbled together by people who have no idea what they are doing. There are many KVM switches which essentially crash when you select an input with no video coming in.

Christian Berger

What I don't understand is why that needs an OS kernel?

After all this can essentially be done by video mixing, something that TV studios did since the 1960s.

Essentially you'd sync all sources together, either via genlockable graphics cards, or via a separate framebuffer on your mixer. (no CPU intervention necessary, this can all be done in hardware). The framebuffer can even do things like scaling resolutions, or cropping video.

Then you define a "transparent" colour, as well as a priority list for all those layers. Every 8 or 16 Bit 1990s games console did that in hardware.

The only thing that actually needs a CPU to touch actual data is the system that determines the mouse position and distributes the mouse and keyboard events accross the individual systems. And that code is rather trivial. It only needs to translate the position information into absolute coordinates, ask the hardware what system is at a certain pixel, and forward it to that system.

Networking vendors are good for free lunches, hopeless for networks

Christian Berger

Re: Essentially its about detecting crap

Well yes, but replacing equipment while it's running in the field is very expensive, and most vendors will try to weasel themselves out of their liability. Essentially it would mean that you have to do extensive fault analysis on a device which is currently running on a productive system.

Most companies won't even have the equipment to fully diagnose a problem like a faulty implementation of Ethernet link negotiation. Without that most vendors will simply shrug off the problem as they can always blame it on other components.

Christian Berger

Well we do have a different problem now

We have simple solutions to simple problems, but then someone claims there to be some usecase that doesn't actually exist (or only exists because of stupidity) which results in people replacing something simple with something _much_ more complex.

Typical examples are HTTP/2, SystemD or UEFI.

Christian Berger

Essentially its about detecting crap

Unfortunately we live in a world with lots of crap. So as always:

Use well defined standards with more than one implementation.

Check for interoperability

Avoid having only one vendor

Avoid people who buy you lunches, their only useful function to you is to lend you equipment for tests.

Apache Struts you're stuffed: Vuln allows hackers to inject evil code into biz servers

Christian Berger

Isn't serialization something inherently scary?

I mean you turn an object, which can contain both data and code, into a binary blob, then you turn that blob back into data... and code. I mean if you send that binary blob accross the network, you should at least be scared that it's not compatible between different versions of your code.

What's your flava? Ooo, tell me what's your flava... of Ubuntu

Christian Berger

Does KDE work now?

So far in the last decade or so, every KDE installation I've seen over various hardware devices and various software versions, from SuSE to Kubuntu had severe display problems. This starts with rounded borders of windows having messed up backgrounds and goes on to actual crashes.

Has this been fixed now?

Flying electric taxi upstart scores $90m from investors

Christian Berger

Well their visions cannot work

There are lots of companies like this one. Usually their main selling point is that they will allow you to get around traffic jams... however...

The air might look like it has a huge capacity, but you have greater speeds and a less stable system which forces you to have higher safety margins... which means traffic jams again.

Any increase in capacity usually results in more traffic filling it.

Retail serfs to vanish, all thanks to automation

Christian Berger

Well It might go another way

Instead of the "Singularity" we might get the "Crapularity".

We experience technology working less and less well. Ask a 1980s programmer to make a little database table editing program, and they'll write a few lines of dBase. As a 2017 programmer and you'll get several Java or PHP frameworks cobbled together which might, if everything was done competently, be as good as the 3 line solution from the 1980s.

This is what we get today. Things become more and more complex. Where you used to have a simple manual listing commands to drive a peripheral, you now have huge software abstraction layers which usually lack the function you want to have.

Currently companies like Google or Amazon still get the people who know how to solve a problem as simple and flexible as possible. It's unclear if this will continue. Eventually those people will retire and unless we ramp up education, there might not be a generation which grew up with actual computers.

It's official: Users navigate flat UI designs 22 per cent slower

Christian Berger

Back in the olden days...

... you had rooms full of laypersons doing essentially what that study did, but before you shipped. Companies like Xerox even went so far as to teach children and Disney animators how to program.

Christian Berger

Re: Personally

Well there is more than just the number of participants that is relevant. The study could have some serious flaws...

...however the results of the study are exactly what you'd expect from a GUI which removes important visual clues to how it works. Just imagine having a room with an invisible touch sensitive sensor instead of a clearly visible light switch. You probably still touch the right space on the wall many times, but if you don't, it's hard to see where you should have touched it.

Smart meters: 'Dog's breakfast' that'll only save you 'a tenner' – report

Christian Berger

Smart Meters would be cool...

... if they could send their values to my MQTT server and only a yearly total to the power company. Perhaps if the local grid company needs it, it could also send it's current power anonymously over the power wires.

That's something I would pay that money for.

It's happening! Official retro Thinkpad lappy spotted in the wild

Christian Berger

Those displays are custom made anyhow

So having a different aspect ratio shouldn't be a problem. I for one would like to have a communicator shaped one with a 800x240 or something display.

'Independent' gov law reviewer wants users preemptively identified before they're 'allowed' to use encryption

Christian Berger

It's not about those who can use netcat

"Because as we all know, it's impossible to send encrypted data across the internet without a social media/email account."

This is not about the technically adept. This is about the layperson. The whole idea is to condition normal people into compliance, a few freaks who know how to use computers don't count.

Asterisk bugs make a right mess of RTP

Christian Berger

Re: But its open source!

Asterisk probably is one of those prime examples of "Open Source" vs "Free Software". It's essentially developed by one single company which is very picky with even patches that would be sensible. (like the Opus Patch that's floating around)

Christian Berger

Asterisk has lots of bugs regarding RTP

One conceptual bug, for example, is that it the codec packets of outgoing packets whenever they get a packet with a differing codec. If you connect 2 Asterisk servers with the right delay, and have 2 or more codecs enabled on those, you'll get constant codec switching.

Net neutrality comments close: Let the BS begin!

Christian Berger

Maybe we should regulate it like the power grid

There you have central monitoring stations which check that there always is n+1 redundancy. So essentially at the central operations centres, a computer will compute that every 5 minutes. So any component can fail which shifts the traffic, however no component gets overloaded that way.

So essentially ISPs would have to keep load logs and certify that no compoent gets more than the load it can handle without degradation. (i.e. getting much more jitter or latency) That way ISPs must continuously upgrade their networks to keep up with demand.

Deputy AG Rosenstein calls for law to require encryption backdoors

Christian Berger

Essentially that would make US products unbuyable to the rest of the world...

... at least that's the common idea. The counter-argument is of course Blackberry, who have been found to have back doors many times, but still manages to sell their products.

CyberRehab's mission? To clean up the internet, one ASN block at a time

Christian Berger

That's a terrible idea

Virtually everything is illegal somewhere, and laws typically aren't in step with what informed parts of the society think is fair.

New York Police scrap 36,000 Windows smartphones

Christian Berger

Now imagine they'd have done this with a simple text-based unixoid application...

... perhaps with an ncurses based UI...

You could simply log in via ssh, giving you an encrypted and authenticated connection without the fear of cross site scripting or other web-problems. It wouldn't matter what kind of device you have as they all run some form of ssh-client. In case you have bad connections you can even use mosh.

Dell's flagship XPS13 – a 2-in-1 that may fatally frustrate your fingers

Christian Berger

Well if good engineers had their say...

... you'd probably get a rather slim laptop which you could dock onto one or more external batteries. The display would be easy to replace with interchangable displays for all models with the same size, possibly even between vendors. The displays would also be available in most technologies, from OLED to sunlight readable transflective LCDs, and all in various resolutions.

China to identify commentards with real‑name policy

Christian Berger

This is of course for their "scoring system"

They currently introduce a scoring system where everybody gets a score from 0 to 255 depending on what they do. Then scrarse resources (like flats or kindergarden places) can be allocated based on the scores of the applicants.

Now obviously this is a nightmare situation, nobody, including me, would want here, so let me play the devil's advocate and defend it here a bit:

China is a huge country with over a billion inhabitants. You don't want it to become unstable in any way, as that would be bad for the people. Civil wars are no piece of cake. So for the greater good of the people systems are put in place to make the system more stable as a whole. Such a scoring system does this in a soft way while staying as "fair" as possible.

NSA ramps up PR campaign to keep its mass spying powers

Christian Berger

This is of course just an extra...

... the real NSA PR campaign caused that now everybody believes their job is to stop terrorists. It's not, it's the job of the police.

Fewer than half GCSE computing students got a B or higher this year

Christian Berger

Re: "technical and digitally skilled"

""digitally skilled" = can point at something with a finger"

Probably more. It probably also includes holding things.

Boffins blast beats to bury secret sonar in your 'smart' home

Christian Berger

Re: The simplest ways are best

"So why not go Nineteen Eighty-four and ban hard switches?"

There are lots of people who propose that by thinking it's OK if the manufacturer disallows you from modifying the firmware of the device you bought. In fact that's one of the main motivations behind "Secure Boot".

Christian Berger

Re: yet another reason...

I think it was in a Chaosradio episode where they joked about having 2 of those systems on IP switchable power sockets. That way you can instruct one of the systems to turn off the other one. :)

So, Nokia. What makes you think the world wants your phones?

Christian Berger

Well...

Not everyone wants their phones to be flat. If you look at typical DECT phones, those are bulky and even waste lots of space. However since they are the right shape, they fit nicely into ones hand.

The problem today is that all the manufacturers are focussed on bringing out essentially the same product. This increases development costs (how to shave of another fraction of a millimetre), but lowers margins. That's a very unhealthy situation.

What weighs 800kg and runs Windows XP? How to buy an ATM for fun and profit

Christian Berger

She could have put it in a public place...

... with a modified software that asks the user for the amount of money and the PIN.... and then just make a transfer without spitting out any money. An error message on the screen could erase any suspicion.

What code is running on Apple's Secure Enclave security chip? Now we have a decryption key...

Christian Berger

Re: Well you cannot make this secure

Well then you probably have transparent fingers. People with opaque fingers usually have severe problems typing on those screens.

Christian Berger

Re: Well you cannot make this secure

"So how exactly do they do that? ... The hardware doesn't support that."

There is a thing called Focussed Ion Beam microscope

https://en.wikipedia.org/wiki/Focused_ion_beam

It allows you to cut through the layers of a chip and add new wires to it. So essentially you can get to the connections of the internal memory of those chips, unwire them from the internal CPU and connect them via microprobing to an external device which reads it out.

Which is something the Dutch claim to be able to do:

https://youtu.be/AVGlr5fleQA?t=34m23s

"they need to be able to snapshot the full state of the enclave and restore it on failure."

Actually depending on how it's done, just glitching the power at the right time could prevent the chip from storing its new state.

Christian Berger

Well you cannot make this secure

Essentially whatever you do, you'll always get to the point where you'll need to expand your PIN into the key used to encrypt your memory. Everything needed for that has to be stored on the device and can, in principle, be read out.

So the security hinges on the PIN, and since you cannot enter complex alphanumeric passphrases on a touchscreen, you're essentially left with a short 8 digit numeric PIN, often even shorter than that.

So essentially every moderately advanced attacker can just read out the "security enclave" and emulate it to try out all the PINs.

Are Asimov's laws enough to stop AI stomping humanity?

Christian Berger

Cooperations are a form of artificial life

The only difference is that it's based on people, not on silicon. However those people regularly make the coorporation act against mankind or even themselves.

Before we argue about AI, we should bring large coorporations under control.

US military spies: We'll capture enemy malware, tweak it, lob it right back at our adversaries

Christian Berger

Notice that that's within the capabilities of any adept scammers...

... which is one of the reasons why attributions is impossible. Anybody can take malware from someone else, repackage it and perhaps change the strings in it to another language... and use it again.

SoundCloud: You can't stop the music, nobody can stop the music

Christian Berger

Re: It's one of the examples of one of the dumbest competitors...

"Is there stuff you can only play/stream but download normally?"

Unfortunately on Soundcloud there is lots of stuff you cannot download easily.

Christian Berger

It's one of the examples of one of the dumbest competitors...

... becoming the largest competitor.

Essentially their service could be replaced by an FTP-server and all users would be much happier.

Don't buy Microsoft Surface gear: 25% will break after 2 years, says Consumer Reports

Christian Berger

Well its consumer stuff...

... since returns of consumer products are not in any way related to the product actually breaking, and consumers having no idea if 1% or 10% of their product broke withing 2 years, there is no drive towards quality in consumer computers.

Considering that business computers often even cost less than consumer ones, at a much higher build quality, one wonders why those products are still bought.

Google's macho memo man fired, say reports

Christian Berger

Re: The guy's a bigot

Well I could understand all of that if people simply tackled his arguments one by one, but what's happening is that they just claim that it's a rant. He does make some good suggestions like trying to remove the stigma of men reducing their work time.

The world is not black and white, and we need opposing viewpoints to callibrate our moral compasses.

Christian Berger

Re: Diversity is good

Well the theory goes that if you have people with lots of different backgrounds, you'll get lots of different ideas. Obviously gender is correlated with your background.

(for ease of typing I'm abreviating "women and minorities" into minorities, I am fully aware that this is wrong)

How the problem is that, simply put, minorities often aren't interested in things like programming, so the rate of programmers is lower in many minorities than it is for "white men". However some "neo-left" people want more even distributions, and that's where some organisations start to hire people just because they are in a minority. And then it becomes a problem.

Now if those "neo-left" SJWs would actually want to do something against that, they'd start with things like demanding proper healthcare and a proper social system as well as tuition fees being paid by the public and not the individual. That way everyone choosing to do so can get any career they are physically and mentally able to pursue. Education wouldn't just belong to the rich.

Instead they argue that they must not be confronted with opposing views, which is dangerous. Opposing views are what make you refine your own views. Views are rarely 100% wrong, but rather are likely to have some good points. Simply copying your viewpoint from another will lead to a stagnation. Eventually a groups viewpoint will become simpler and simpler.

'Invisible Man' malware runs keylogger on your Android banking apps

Christian Berger

Re: Can't we finally admit...

Well not quite, since many people believe that those security measures work, they instruct people to do unsafe behaviour. Just look at many websites who want you to install their app. Just look at the many apps which are malware (adware) or otherwise slurp your data.

In fact, not being root on your own device means that you have to do backups via some external provider/app, which is a huge security risk compared to just scp-ing your data over to your computer or NAS.

Christian Berger

Can't we finally admit...

...that the security features of mobile phones don't work, they are only a hassle to the user.

In the end it always boils down to "don't install malware".

Microsoft Surface laptop: Is this your MacBook Air replacement?

Christian Berger

It makes sense from Microsoft to try out that market

I mean there's people buying MacBook Airs, essentially fashion statements you can get some functionality out of. There probably is enough space for 2 companies. "Me too"-products can work if it's not the 20th of them.

Of course if you actually buy a laptop in order to work with it, there are many much better alternatives.