Posts by Christian Berger

Hmm... North Korea is a good scape goat

Because North Korea won't deny it, and even if they did, nobody will believe them.

The bigger problem security in a box companies are facing is of course that they promised to protect people from such attacks (quote from an ad: "The NHS is totally protected with Sophos") when they in fact were just peddling snake oil. In the real world, something like that would have had serious consequences. (However they could also say that it was proven decades ago, that it's impossible to automatically analyse software for certain properties, at least in the general case)

So it's convenient to have a space goat, and North Korea is the perfect one. Of course there is no evidence, but that's how attribution works. You look at some code, and speculate that it could have been X, then someone finds the same code somewhere else, and takes your first speculation as proof that it must have been X.

If the statements of Sophos were true...

... Alfred Nobel would personally raise from the dead and create a Nobel Prize for Informatics to hand them to them. You cannot determine what a program is doing by looking at it. It's called the halting problem and it was proven long before computers came into widespread use. If Sophoses claims were true, they'd have disproven something that has been mathematically proven over and over again. It's like finding a triangle on a flat surface where the angles don't ad up to 180°.

And looking at what an already existing program does, obviously doesn't work. First of all, it already had some something bad, secondly, file compresion/archival software looks just like ransomware, if you only look at what is happening at an API level. It's impossible to get a detection which is sharp enough to lower the false positives to something acceptable while still detecting what you want.

It would be possible to achieve better security, it would just take a decade or so

One of the big problems is "legacy systems". If you have legacy systems running on old, insecure platforms, well it's hard to move to something simpler and therefore more secure. Feature creep in platforms leads to applications deeply embedding themselves in those features.

Maybe administrations should try to define sensible subsets of current platforms, essentially removing all non-essential features from the standards. Application vendors that already have well-behaved software will have little trouble to just work around a missing feature. If you tighten the standards more and more, and announce every change years in advance, you could discipline the market.

Then in parallel you design and build simpler, and therefore more secure computers. Those computers will emulate the previous legacy platforms, and once the currently used subset of features is implemented, you switch to them.

Today we have lots of needless features. We have whole operating systems running in "service mode" behind our backs... just so they can handle USB devices for the operating system. We have service after service running on the background for things that, in the most common case (single user, embedded system, server) could be done by a single shell script.

Luckily it's not _that_ important

The GPL is more or less a sign you put onto your code to declare that people can use it in sane ways. It's not something that's basic to free software as such. In fact really free software should be simple enough, by design, so you can easily reimplement every bit of it with reasonably little effort.

Why does nobody build disk libraries?

I mean tape is only really economical when you have a library, so obviously there are tape libraries acting as a huge tape changer. Why don't do people do this with optical disks. When you only handle them with robots you can get around one of the main problems, scratches. Plus disk formats are rather stable so even in 20 years you'll probably still be able to get something that can read Bluray disks easily.

Mozilla could already do a lot for privacy

For example they could prohibit cross domain javascript, so a website wouldn't load malevolent Javascript from other places by accident. They could evaluate every new W3C proposal and refuse everyone where the privacy implications are higher than any potential use (see DRM, WebASM, etc)

Instead Mozilla acts like any other company. Why? Because it has grown to a size where it's just like any other company. Their income comes from search engines as well as donations. Once that income breaks away, the whole project will fold.

What we'd need would be a radically more simple web replacement. Something where you can implement a fully functioning "browser" in less than a week, and new features are hard to add so it'll stay small. Perhaps something like VNC could be an answer.

It's been done a lot before the dark cloud

Before the iPhone turned smartphones into fashion devices, everybody was doing it, even Microsoft.

Essentially you have a screen on top and a thumb operated keyboard on the bottom. Then you have a pen as a position device.

Here's an example for such a device as Figure 1 of a Microsoft ad:

https://www.microsoft.com/msj/0598/wince.aspx

Here's one you can buy:

https://www.newegg.com/Product/Product.aspx?Item=9SIA8YE3S81985

And here's one from Nokia with a built-in phone

https://en.wikipedia.org/wiki/Nokia_9000_Communicator

The problem back then was two fold. First of all, back then newer operating systems needed a lot more CPU power than older ones. A 3 year old computer was essentially useless. So on a mobile device, where you have severe hardware limitations, you typically ran some severely stripped down OS, for example Windows CE.

The second problem was, that wireless data connections were rather expensive. Of course Wifi would have been an option, but most mobile phone vendors refused to have it.

Luckily we now have products like the "Pocket Chip", the Pyra and perhaps later the Gemini.

The only thing missing now is a common hardware platform so the software could actually evolve.

The funny thing is...

... a large German blog on cyber security and other topics recently asked their readers to send them examples for malware scanners being used to spread malware. It's author was invited to a tour which includes panel sessions with an antivirus vendor....

...so the timing was rather good on this one.

It should be noted that...

no "antivirus" noticed this, and if the download would have been a torrent, there wouldn't have been such a problem, as torrents have cryptographic checksums.

It's just the tip of an iceberg

There's lots of badly written, never audited software with hardware privileges running in modes, inaccessible to the operating system.

For example when USB came to the market, operating system and BIOS vendors couldn't be asked to implement it, after all it's a rather complex protocol. So the CPU vendors shipped a special binary blob which used the Service Mode of the CPU to emulate standard PC devices even though you actually had USB ones. On bad laptops even things like battery control are done by Service Mode software.

Hmm... could this have been a deliberate action of the PR team?

I mean this was apparently done so shortly before the election, nobody can actually say what nuggets are inside of it. So simply put, he can claim himself to be a victim, which usually gives people sympathy points, particularly with the people who know nothing about computer security.

I mean being the "lesser evil" slowly fails to bring you a majority.

Well one of the features of Windows used to be...

... that it had a device independent API for graphics. So you could write code which displays something on your screen, and use the same code to write something to your printer, without having to care about what kind of printer it was or even if it was a printer or a plotter. The operating system would do its best to give you the same experience on any device...

... but that was in the 1990s and WinAPI (now known as Win16) now seems to be depreciated.

It's fairly pointless...

...as most windows applications are deeply rooted within old Win32 code and components that will never be able to convert to UWP or anything, not only because nobody has the source code. The big strength of Windows has always been that it was able to run old software.

Well VoIP and decent programmers don't seem to mix well

Virtually every VoIP product out there is either badly designed or badly implemented... or both.

This is perhaps because many people looking into VoIP will encounter the standards, which are rather far away from how it's actually done, or concepts like NGN, which tries to solve a problem by exponentially increasing its complexity. VoIP just doesn't look like a fun field to anybody who just wants to solve problems. That's why the people left in the field seem to be Java Jockeys, who use SQL-databases without ever having heard of indexes or prepared statements... or people who slap together something that barely works (but is good enough for nifty demos) and open up a company to "support" it, instead of fixing the bugs.

The pinnacle is VoIP software running on Windows. There you have people trying to solve a problem, who have never seen an actual decent solution to a problem.

The problem is that the "laptop with keyboard falling off" market is crowded

I mean I've just bought a 100 Euro one, and added a 10 Euro case with keyboard for it. In the eyes of most remaining Windows users with a choice, that's essentially as useful as a device with Windows 10.

Microsoft it trying to complete in fields it cannot win. What they should do instead, is to go back to what their users like.

It's not like it's different at any larger company

For example at the company I'm working at, it took several months for the IT department to set some permissions on a directory. The IT department recently was congratulated for having such insecure system, that one of those encryption tojans hit them. Another, larger, company I was working before, actually had a special software to make Windows even worse. On top of the list of new features of an update was "Disable IPv6".

The situation is absolutely desolate, in just about any larger coopration, and there is no difference between privately run and public ones. It's just that privately run companies think they can get away with it, as nobody looks at them.

Graphite core???!!!

What an unfortunate name, one of the reasons why Chernobyl happened was that the reactor core was made out of graphite.

Actually it has nothing to do with phreaking...

... as there doesn't seem to be any telephone network involved.

There are still interresting things to phreak, for example some lift alarm systems are connected to the telephone network and can be called. If you call, they will pick up and put you through to the cabin. Via DTMF Tones you can even program them.

Well it's just counting people who do not block junk

So it's questionable how much this reflects the real world where even computer novices are starting to filter what gets into their webbrowsers.

However in this case it might not make much of a difference, as both Android and Windows are overrepresented when it comes to ad servers, as both are used mainly by novices.

Luckily...

... the OpenSSL team is known for their excellent and virtually bug free code, otherwise it would be silly to discuss licenses before actually doing what LibreSSL did and clean up their code.

Well they'd gain more Linux users if they dropped DRM

Seriously there is no reason why they have DRM on their own shows. And DRM is malware. DRM acts against my wishes and runs on high privilege levels. DRM systems also had security bugs (harming the user) in the past. Combine that with high privilege code and you get a disaster.

However one advantage is clear, it'll mean that you can run a modified Linux inside a virtual machine (or on separate hardware) which simply records the streams DRM-free so you can watch what you pay for even on hardware you still want to own.

There used to be a joke...

... that on Windows 97 error messages will have ads.

People with integrity?

Well that's going to be touch, as such people surely won't work for the FBI. It's like asking for glass of water that's both empty and full of water.

92% of _all_ websites totally suck

They used to suck because of Frontpage or the HTML-Export of Word, they used to suck because of Flash, now they suck because of Javascript abuse and "responsive design".

It only shows that you cannot improve reliability...

...by greatly increasing complexity. Every little bit of complexity is something that can break. Of course you can use redundancy to increase reliability, however if that means adding much more code, the net result can be a far less reliable system.

Redundancy only works when you only add little extra code to achieve it. A prime example is RAID 1. It's rather simple to implement, and allows you to survive disk breakdown without any noticeable disruption.