* Posts by Christian Berger

4850 publicly visible posts • joined 9 Mar 2007

It’s 2017 and Hayes AT modem commands can hack luxury cars

Christian Berger

The second bug is _much_ more relevant

If you have physical access to such a device you essentially have won. That's not news.

The news is that they found a bug in the baseband chipset firmware. And that's relevant as there is code reuse, so it's likely that bug still is in modern devices. After all, even your shiny new LTE baseband still has to implement UMTS (with lots of ASN.1) and GSM.

On that 2G device that may not really matter, as the interface is rather simple, however many 3G and 4G basebands connect via more complex interfaces. The 4G baseband in many laptops, for example, can pose as a keyboard and a disc, which makes exploitation possible in a very stable way. Just pop in a disc and handle the popup.

AI quickly cooks malware that AV software can't spot

Christian Berger

Wasn't that already a thing in the 1990s?

I mean back then people talked about polymorph malware. Essentially you'd move over the use of one register to another one, or you change the order of executions, or you encrypt it.

So this is nothing new.

So who exactly was to blame for Marketo losing its dotcom?

Christian Berger

It's not like people wouldn't leave such companies voluntarily

The online marketing trade has changed from delivering harmless animated GIFs to sending out turing complete bundles of Javascript and/or Flash. It's currently one of the biggest security threads on the web.

So it could be that their technical person simply left the company for ethical reasons and the knowledge that you need to renew domains left with it.

Marketing giant Marketo forgets to renew domain name. Hilarity ensues

Christian Berger

Re: People assume that success is correlated with competence

@handleoclast

Well perhaps we can boil that down to, "from a certain level up competence does not matter". I mean clearly if they were to incompetent to set up any website they'd not have gotten to where they are now.

Christian Berger

Re: People assume that success is correlated with competence

No not really. It simply doesn't matter.

Christian Berger

People assume that success is correlated with competence

It's not, it's mostly correlated with luck or inheriting money. Just because it's a 1 Billion company, it doesn't mean they have anybody who is good at what they are doing.

iRobot just banked a fat profit. And it knows how to make more: Sharing maps of your homes

Christian Berger

Thanks iRobot...

... I was considering to buy one of your products... now your products are off the list of the once I'd consider buying.

Devs shun smartwatch work, gaze longingly at web-only apps again

Christian Berger

We'd need a simpler remote GUI protocol than HTML/CSS/JS/HTTP

Something that actually handles state, perhaps via some sort of TCP-connection. Something that handles authentication without having to re-invent the wheel every time. Something that needs a client that can be implemented in less than a megabyte.

Repairable-by-design Fairphone runs out of spare parts

Christian Berger

Re: Batteries are always a problem for phones.

I don't fully follow your argument, as you can put the batteries in the hinge, however instead of 18650 batteries you can use those used for some old "feature phone" which was designed in the 1990s and still is being produced. For example I have a bluetooth GPS receiver which used the same battery as several Nokia phones.

Christian Berger

ARM cores != ARM SoC

While ARM cores may be very compatible, the SoCs aren't. Even simple things like GPIOs and UARTs are different for every one, with the smallest difference being the port and interrupts they are on.

Same goes for more essential things like clock trees. No two SoCs are alike, even if they share the same core.

The best you can do is to put the SoC on a separate little board which can be replaced easily, but even then, every new SoC requires a seperate port of the OS.

Christian Berger

Well with laptops the problem is less problematic as there is a strong business market, and to get into that, your laptop needs to be easy to maintain.

Christian Berger

Re: Why on earth didn't they just use standard components?

Well but for example AA-batteries are and will be available for decades. The same goes for 18650 cells.

Christian Berger

Why on earth didn't they just use standard components?

I mean there are various kinds of standard battery packs which are used by multiple manufacturers. Same goes for displays and probably most other components.

Firefox doesn't need to be No 1 – and that's OK, 'cos it's falling off a cliff

Christian Berger

If they'd only stop making the GUI less and less usable...

... and focus on actual improvements like having a simple way to replace externally loaded Javscript, so it will no longer be stalling to resolve DNS queries when loading external ressources.

Or to put it in marketing terms: You cannot win by trying to be a bad copy of Chrome. People who like Chrome use Chrome. People who don't like Chrome use, for example, Firefox. My trying to emulate all the bad features of Chrome, you will eventually loose your core market.

Kid found a way to travel for free in Budapest. He filed a bug report. And was promptly arrested

Christian Berger

It's T-Systems...

... those used to have a contract management system connected to live systems, so you could, for example, alter your passwords by editing your contract. It turns out you could edit everyones contracts, not just yours.

T-Systems is not where you go for IT.

Microsoft hits new low: Threatens to axe classic Paint from Windows 10

Christian Berger

Re: The end

Actually I've just looked it up, and for some reason I cannot fathom it's around 6.5 Megabytes of code!

I mean, yes, it's got some new feature that Paint on real Windows (i.e. Windows 3.x) didn't have, but I doubt the PNG and JPEG code takes up 6.4 Megabytes.

Edit: That's on Windows 7.

Q. What's today's top language? A. Python... no, wait, Java... no, C

Christian Berger

Note that there were "popular" shitty languages in the past

Like PL/1 for example, a language trying to do "everything".

Here's a review of it:

https://plg.uwaterloo.ca/~holt/papers/fatal_disease.html

Christian Berger

Re: In over 40 years of programming ...

"Surely these languages are popular for a reason?"

Yes, but that reason, more often than not, is hype surrounding them. You have professors who grew up in the pseudo OOP-Hype of the 1980s and 1990s and think C++ and Java are the ultimate languages as they are so OOP.

This is why old Windows Phones won't run PC apps

Christian Berger

Re: x86 support is coming to Windows 10 ARM phone

What about all those (nearly) no-GUI applications for Windows, like VPN clients and stuff? Those wouldn't have problems with braindead ideas found in modern "smart"-phones.

Christian Berger

Re: It would appear...

That's probably not a real limitation as 64-Bit is only used in new programs which are still maintained. Those could even be re-compiled for ARM once Microsoft offers an ARM version of Win32.

The big problem is all of that unmaintained software that was bought decades ago and still needs to run somehow. The manufacturer went bust 10 years ago, and nobody has the sourcecode.

UK mobile number porting creaks: Arcane system shows its age

Christian Berger

To put that into perspective

The German fixed line portability scheme involves exchanging porting information between carriers (there are companies which act as intermediates for carriers which only have limited interconnections). Those are stored in databases (or plain text files) and converted to special database files which can be looked up in less than a millisecond. So for every outgoing call a carrier will look up which carrier hosts the number and look up what is the best (read cheapest) way to reach that destination.

When someone ports their number away from one carrier, they are obliged to forward the calls to the new carrier for free for a certain time. That's why carriers charge up to 20 Euros per outgoing number.

No one still thinks iOS is invulnerable to malware, right? Well, knock it off

Christian Berger

Well malware is a question of the definition

For example there are apps displaying ads in some form of quiz. Normally you'd classify this as a form of adware and therefore malware, however such "security companies" might not.

For some regimes, any software which allows you to communicate in an even remotely secure way might be considered malware.

Depending on your point of view, the only way to install non-malware might be side loading.

Crazy bug of the week: Gnome Files' .MSI parser runs evil VBScripts

Christian Berger

Re: Over complicating things

This is, unfortunately, a typical symptom of the current breed of Desktop developers. The important problems have all been solved decades ago, now they are just trying to solve them more and more complex. The result are feature nobody asked for, which not only harm productivity, but also security.

Unfortunately this is happenning on virtually all desktop platforms.

Breathless F-35 pilots to get oxygen boost via algorithm tweak

Christian Berger

You'd hope they are hackable...

... because there may be situations where you want to fix or otherwise tweak them without having the propper materials. It's like any large machine, it shoul work by default, but sometimes you need to tweak it to work for you.

SQL Server 2017's first rc lands and – yes! – it runs on Linux

Christian Berger

Well they want to stay relevant

Microsoft is a rather heterogenious company. My guess is that the department making the SQL-Server sees Windows as a lost case as it's more and more aimed at mobile systems and the consumer, despite of recent developments like the Terminal window supporting colour and more than 80 columns. (whoo hoo)

Now there are many IT departments which try to get away from Windows when ever possible. Usually that means buying newer web-based applications running on Linux, typically with MySQL.

It's a bit like in the 1980s when minicomputer manufacturers realized that the future would be in microcomputers and they all released versions of their minicomputers in microchip form. Suddenly you could have a PDP-11 that's just a single board (plus RAM).

In both cases we have companies trying their products to stay relevant for longer. In both cases the problem ultimately was that their products had no user relevant advantages over cheaper competitors.

Linus Torvalds may have damned systemd with faint praise

Christian Berger

Re: It's a phase young programmers go through

Yes ANSI is terribly, but today we have UTF-8, we can simplify the escape sequences a lot by using "reserved for local use" characters.

Christian Berger

Re: It's a phase young programmers go through

We could solve so many problems if, instead of using X11 or Wayland, we had added sound and graphics to the terminal specification.

Christian Berger

You confuse hating...

...with having logic based arguments against something.

Christian Berger

Re: It's a phase young programmers go through

"It's my guess that the average number of 'seats' across all installed Linux systems is a bit less than one. Desktops and laptops have one; lights-out servers have zero."

Well back in the early 2000s there was a phase when a multi-seated Linux computer made some sense. As a separate computer was more expensive as adding a graphics card to an existing one. Of course with things like the Raspberry PI, this is no longer the case. Even though it's slow by itself, it's a potent X-Terminal. Now if we had a decent "remote desktop" protocoll that supports audio as well as video, we'd have completely new capabilities.

Christian Berger

It's a phase young programmers go through

When you learn to be a programmer there is a phase where you learn about all those cool things you could do. You learn about OOP, RPCs, functional programming and so on. As you usually only hear about them from the proponents, you think they are all great and the future, and they allow you to build wonderfull castles in the sky. You actually dream about complex data structures residing in cyberspace.

Now when you become more experienced you learn that coding is hard and that every line of code is like uncovering a tile in "Mine Sweeper". So you become more cautious and try to optimize not for complexity, but simplicity. Once you learn about the UNIX-Phlilosophy you will realize that this is one local optimum when it comes to simplicity.

In the past, young programmers used to learn either in BASIC or Pascal, and their first jobs were writing shitty software for Windows. That's where all that bad and never maintained shareware stuff for Windows in the 1990s came from, as well as some business critical applications from that time. So people could make their mistakes where it didn't hurt, and then maybe later learned about unixoid operating systems.

Today young programmers start with Linux right away, so naturally they make their mistakes on that platform. They also want to work on "Open Source" software, as that looks good in their resume. That's why those projects now get overrun by inexperienced programmers wanting to build complex castles in the sky. And this is how we get things like DBUS, ConsoleKit, PulseAudio and SystemD.

Juicero does to its staff what your hands can do to its overpriced juice sacks

Christian Berger

It's more like what you get...

If you have stupid objectives like (squeezing the bag on it's full surface) made up by marketing which refuses to accept more sane alternatives (using a roller to squeeze the juice).

Funnily enough, charging ££££s for trashy bling-phones wasn't a great idea

Christian Berger

Re: You don't get rich from selling to the rich...

Exactly.

Christian Berger

You don't get rich from selling to the rich...

... you get rich for selling to the poor. That's why the two richest people in Germany were the 2 Albrecht Brothers who owned a little chain of stores called "Aldi".

Want to kill your IT security team? Put the top hacker in charge

Christian Berger

Hmm...

So far I haven't seen such such beeing clearly managerial or technical, they still seem to be rather mixed.

Christian Berger

So the obvious solution is...

... to create 2 posts. One which is a purely managerial position where you have a good manager. Then you create a second position where you have a good engineer, which assists the manager and has authority in all technical questions. Those people must be on an equal level and work closely together.

Having one or the other is a recepie for desaster, but having both might work, if they can work together.

GSM gateway ban U-turn casts doubt on 7.5-year prosecution in Blighty

Christian Berger

To put that into perspective

Today a call from Germany to a Mexico landline costs about less than 0.05 cents wholesale a minute.

Multics resurrected: Proto-Unix now runs on Raspberry Pi or x86

Christian Berger

Re: Anything we should steal ? - Definitely

"I think that exploring direct mass memory access while doing away with traditional file I/O might well be worth exploring once more."

That's why some popular architectures like Geneva on the LISP machines do it that way even today.

Windows Insiders with SD cards turn into OneDrive outsiders

Christian Berger

Re: Sky blue, water wet, MS fucking over customers...

"It's like they WANT to piss their customer base off so bad that the customers go elsewhere."

Maybe they see this as the reason why Apple is so successfull?

Brit prosecutors ask IT suppliers to fight over £3 USB cable tender

Christian Berger

Re: USB A, Male to Male? I don't think you really want one of them

You'll probably won't fry anything, but it's certainly not part of the standard.

Christian Berger

Re: Not just restricted to governments

"And the customer waited for the third reminder to be received before he paid that Pfennig back, right ?"

No, they actually brought in the Pfennig in person.

Christian Berger

Not just restricted to governments

I once worked at a German electronics store, and one customer had an open debt of 1 Pfennig (roughly half a cent). We sent out a letter (costing something like 70 Pfennig) to send the demand note.

Such things happen regularly at organisations. It's when people act according to rules. The German expression is "Dienst nach Vorschrift" which apparently translates as "work to rule".

SBU claims Russia was behind NotPetya

Christian Berger

Malware doesn't wear a uniform

Attribution is impossible, unless the attacker was _really_ stupid. Every kind of "evidence" can be faked trivially, particularly by secret services.

You can smuggle computers from nearly every country, you can disassemble, change and reassemble malware from other attackers to look like them. You can leave in strings in foreign languages. All of that is perfectly within the reach of secret services, or probably even a technologically adept scammer.

In after-hours trade on Monday, NYSE deployed test code to production

Christian Berger

Beancounters are odd

There are bizarre rounding rules. Like normal people round 1.5 to 2, and 1.4 to 1.

Beancounters often consider the next digit if the digit is 5. So...

1.50 becomes 1

1.51 becomes 2

1.52 becomes 1

1.53 becomes 2

1.54 becomes 1

and so on.

...

Though that still doesn't explain the 7. Maybe someone tried to write financial code in Java and wanted to test their rounding code, did this with the number 123.456, left in the test code... and failed.

GnuPG crypto library cracked, look for patches

Christian Berger

It's important that it's been fixed..

...however for most people the attack is rather theoretical, the attacker would have to execute code on your computer to attack. Of course with more and more stupid things like WebAssembly forced upon us, this does become more and more likely to be exploitable.

Constant work makes the kilo walk the Planck

Christian Berger

There's a movie about it the redefinition of the kilogram

And it's even rather good, though a bit on the love story end of things.

https://www.youtube.com/watch?v=FVIAtIHcehM

One-third of Brit IT projects on track to fail

Christian Berger

Re: In deed

"bad design + poor specs + not checking with users + no agreed test procedures"

That's why you build prototypes. Hack something together which works a bit, just enough so people can try it out and give you input on how they like it. Ideally you write something you'd like to use yourself. Even if it's a bit non-intuitive, as long as it's fun to use and efficient, you can lure people into behaviour they are not used to.

Christian Berger

In deed

I'd say that 60-70% of all software projects get to something somehow usable. Perhaps 10% of that are usable and work, and 10% of those are good.

The problems typically lie in bad design. Software architects build castles in the sky which then are impossible to implement, and even if they get implemented, they turn out to be terribly inflexible, as any change will have to be made in layer uppon layer of software.

The solution is to make things as simple as possible. Think before you add complexity. Do you really need SQL for that particular project or would simple text files be sufficient? Do you really need XML or would a simple line-based text file be good enough?

You won't win a prize for solving a problem in a complicated manner, but you will gain respect when you have software that's easy to work with and fix.

Big question: Who gets the blame if a cyborg drops a kid on its head?

Christian Berger

Naw, only when they grow up

https://youtu.be/42Xi9peYYHU?t=2m11s

Christian Berger

It's not like that's a limitation.

Yeah, and only few if any people are even capable of forming that many words without getting really verbose. Unless you have a screen keyboard and intransparent fingers, your writing speed is typically not constrained by your typing speed.

Christian Berger

We'd first need to sort out more general problems with our economy

We have already seen what our current way of solving the economic problem does to mobile devices. They have turned from their humble brain extending beginnings (calculators, etc) to devices which actually inhibit your cognitive abilities by constantly drawing your attention to them so you can be served ads.

If we extrapolate that to brain machine interfaces we'd get a rather dystopian future.

So one problem is that there are people/companies believing they have the right to turn other people's attention into money. Another problem is people/companies/governments applying force on other people.

The constitutional court of Germany has wisely declared the right for "Integrity and confidality of information processing system". This is one of the essential rights we'd need for a cyborg future.