Posts by Christian Berger 4851 publicly visible posts • joined 9 Mar 2007
Tickers and updated stats work fine via RFB, just as well as "web applications" where you need to send back forms.
You can trivially extend RFB to have an encoding "h.264" or "vp9" or whatever, or you can embed video into your "PDF-like" static document format.
Every new feature has, so far, been utterly abused by site operators. We have cookies which were supposed to help with state in web applications, they are now abused for tracking users. We have Javascript, which was meant for local validations of form values, which is now abused for tracking and annoying users. Now we get DRM which will undoubtedly be used to turn the life of the users into hell again.
Maybe we should just acknowledge that the web has failed. Institutions like the W3C apparently don't even see that we actually have 2 different things. One provides (quasi) static pages of mostly text, the other one provides access to some sort of application. Trying to do both with the same set of tools leads into disaster.
Maybe we should just use text files or some sort of PDF subset for static pages and use something like RFB (the protocol behind VNC) for dynamic things. After all despite of the overhead both protocols provide, they are still _way_ more efficient to the bloated versions of our protocols that are currently in use.
Apparently the Japanese are using the approach of sending out more cheaper probes than fewer more expensive ones. So they may have some failed ones, but that's not as big of an issue.
It's of course noteworthy that such power glitches are nothing uncommon. Stray charged particles are common up there and can cause parasitic thyristors to fire, leading to a short circuit. Electronics for space is designed to detect that, remove the power for a bit, and turn it on again.
In deed! In fact such a device typically would be next to your PBX behind NAT and probably with no Internet access at all. For example we have a setup with another GSM to VoIP gateway which is on a separate network with one server and an ISDN to VoIP gateway... all with no Internet access.
I mean you may think that homeless people do not contribute to society... but then again you have lots of companies there which have negative contributions. This starts with start-ups burning investor money and ends with companies making attack weapons or DRM to actively hurt the world.
I would go so far as to say that a large percentage of people in the high and absurdly high wage ranges actually have negative contributions to the world as a whole.
... it's also that you can probably run an actual operating system and don't have to resort to impossible to secure systems like Android, IOS and the likes.
You can just strip down the operating system to whatever you need and even use that device as a terminal. In fact since you have a decent keyboard, you can even enter secure keys for flash encryption.
Otherwise any security hole in the baseband processor (rarely checked for, but very likely to exist) would compromise the whole machine.
Other than that, if it has a browser, it likely has security problems. Even if you sandbox the browser, the browser can exploit itself which is bad enough for most people.
Then there'S the problem of how tamper proof the device actually is. It likely has a wire wrapped around its insides, or perhaps some flexboard fullfilling the same purpose. If that's not done properly, it's possible to circumvent that, for example by short circuiting part of it.
The TI was essentially useless with the stock BASIC, it barely allowed you to do primitive text mode graphics. I also compared the speed to my ZX80 and it was many times slower.
Infact if you displayed the whole character set and redefinied characters, you could see the BASIC interpreter moving its data away from the space used by unused user defined characters.It had something like 128 words of RAM accessible to the processor, while its 16 kilobytes were all dedicated to the graphics chip... so every access had to go through the graphics chip. To make it even slower, the BASIC interpreter was itself interpreted.
Some accessories removed some of the problems. For example you could give the CPU some actual RAM apparently, but those things were completely unobtainable back then.
... unfortunately the wearables market kinda has skipped the "early adopters" phase, so nobody has a clue what to do with such devices. Instead they jumped from "unobtainable" to "big budget mass market" devices which are all alike.
What would have been needed was a phase of experimentation. A phase where it's easy to program and perhaps to add new hardware to it. Have a simple product like this out for a couple of years so a community can form around it... just like with home computers in the 1980s. Don't aim for the mass market yet.
The problem is, that one one side, they need people who are smart enough to understand how computers work, on the other hand they must be dumb enough to believe in the story that the NSA is a "good guy".
There is no justification for offensive "cyber weapons" as defense would be _much_ simpler.
IT security is like having a party. Yes, it may cost a bit of money, but lack of money usually isn't a problem. It's all just a question of mindsets.
... back in the late 1990s my coleagues have tried actual remote RDP, essentially running multiple "office" RDP sessions over an ISDN line. This worked decently well, but was to expensive in the time before flatrates and VPNs.
Of course this was when a computer with 128 Megabytes of RAM was nearly unimaginable, and a developer had something like an AMD K6-II with 300 megahertz.
So of course a raspberry pi has way than more power to run an RDP terminal.
I mean sending e-mail legitimately is fairly simple, you don't need a special company for it, if you're not sending spam...
...so why didn't the companies send it themselves? Did they intend to send spam? I mean spam is often hidden under euphemisms like "E-Mail marketing" and there are some big players like Adobe in that field. Shouldn't we start going after them too, as they make spam appear more legitimate to businesses?
...because that's normally like suing IBM for patent infringement. Nokia probably has lots of patents Blackberry infringes... unless in the recent acquisition by Microsoft, Microsoft got all the patents. That's actually a likely thing as they threw away everything else.
Anyhow it's sad to see a company like Blackberry committing suicide like that. In business terms it would be an ideal candidate for a takeover. Axe all the upper management and replace it with sane people and you'll have a profitable business.
Why not remove all sound features from it. Sound is just so sold fashioned. And while you are at it, remove the display, those only crack and limit your runtime anyway. After a couple of itterations you could have the ideal smartphone, an extremely stylish piece made completely from something as bendy as rubber, but as smooth as acryl or glass, but with no electronics inside... well perhaps you could have some on chip oscillators so you can claim that it's an octacore running at x GHz.
a) IPv6 can do NAT just the way IPv4 could... nobody uses it, but I think it's even in the Linux kernel.
b) For browsers and stuff you can use a proxy server
c) If you are using a browser you cannot hide anyway, because your browser and OS will have a fingerprint.
Nobody does tracking via IP addresses as it can change at any moment (particularly with IPv6). What trackers do is to use cookies or your font list and screen resolution. It's a layer 5 problem, not a layer 3 one.
...many great improvements in computing came from people who were just doing something properly. Just think of UNIX. You have a bunch of people who were trying to put in a semi-minimal amount of work. Only features that had most "bang for the buck" were implemented, and the whole thing has a "can't somebody else do it" attitude. (having small programs for everything)
Today many people see innovation as doing trivial things more and more complex. Android, systemd or much of the Freedesktop projects are prime examples for this. I think this is because we have an excess of bad programmers who all want to do something... without understanding how to do it in a minimal way. That way they create lots of code that doesn't do anything productive.
IP-Addresses say nothing, code styles can easily be faked or you can just buy exploits on markets, foreign characters in filenames or paths can easily be faked as can dates and times.
We live in a world, where it's likely that the actions of some little kid are seen as a state sponsored attack, no matter how primitive they were. Also we live in a world where false flag operations are nothing uncommon.
If those organizations mentioned in the article would actually care about security, they would provide guidelines for actual security. They would advise against office software, they would advise against complex file formats, particularly proprietary ones. They would warn against closed source software, particularly when there's an auto update mechanism.
... that it claims to be able to do lots of things, like protecting your system from physical access or someone becoming root in order to modify your boot process. Obviously that's bollocks, since if your system has already been compromised that way, it makes very little sense to achieve persistence via the boot process. There are lots of other, much simper ways to do so.
That by itself wouldn't be a problem, but then there's the obvious problem of hardware vendors not allowing you to add new keys yourself... or making that particularly difficult to do. Microsoft already dropped the requirement to turn off the TPM, on ARM they even require it to not be possible to be turned off. Essentially we are now seeing the things people warned us about 20 years ago. Most smartphones already have locked bootloaders and if we are not careful, laptops and desktop computers might follow soon.
Instead of doing things that would improve security (limiting Javascript from external servers, turning off APIs, simple client certificates) they do everything to solidify their oligopoly.
Every new API makes it harder for a new competitors to enter the browser engine "market", which gives the browser vendors more power. Just imagine there would be a truely free browser that does everything you want, like blocking external Javascript or selectively blocking Flash, instead of constantly making the UI less usefull. Mozilla would be broke in months.
If you want to motivate your coders, give them interresting things to do. Allow them to express themselves and to make mistakes. Allow them to try to reinvent things. Hire competent people. If everybody thinks they can learn from their peers, it creates a very pleasurable athmosphere of constant learning and discovery.
Decarbonated sparkling water and such is just the way clueless HR drones try to solve the problem. That way you get the same boring list of employee benefits at every company.
Netgear probably doesn't write the code running on their routers, they get the code from the chipset vendors and then reskin it. So they decide on a chipset, and while the hardware is being developed, they re-skin the firmware of the vendor. Any updates coming out since then will simply be ignored.
Don't use any local apps on your device.
root it, install VNC and mosh, use iptables to make sure it'll _only_ talk to your server, and run everything of your own server.
There is no even remotely "secure" mobile device out there. The most secure ones you can get at the moment are the Pocket CHIP and perhaps the Pyra in the future.
...wouldn't it be simple to create a solution which would blow the competition out of sight?
I mean VoIP solutions, no matter what vendor range from "WTF, has anybody even tried that" to bad. If you get together some mature developers it should be easy to come up with something that "just works" and doesn't rely on obscure SIP features or h.323 or such things. I mean today the "best" solutions available rely on Asterisk. Those work, but Asterisk has severe codec negotiation issues. If only someone would fork Asterisk and patch out all the design bugs (it would get much smaller that way) you could build solutions on that that would be much better than what we currently have. Or you could even just write something new with just the useful bits of Asterisk.
We see more and more idiotic standards around. With the availabilities of libraries for just about any usecase, it seems trivial to just cram them together instead of making your own lean and simple purpose built protocol.
As with most security problems, it's probably caused my immature programmers. Every programmer has an urge to build complex "castles in the sky". Mature programmers have learned to control that urge and funnel it into creating simple but flexible systems.
In a way one could say that using Linux for systems which could work with some much smaller RTOS is a problem, particularly when you run additional services on it, but any decently mature developer will try to avoid having such unneeded services in favour of a serial port on a pin header on the board.
In the last years we had several markets focusing on the PC.
We had the "home user" who previously had a home computer, but moved to the PC when it was promising more "bang for the buck" than an Amiga. Those people are now moving to Android.
We had the "office user", a traditional PC market which gained some traction when it was joined by the people who found out that you can use a PC as a terminal for some AS400 system. Those now experience longer product lifetimes, and Windows getting much less useful for them from version to version. This goes as far as there being serious legal doubts if Windows 10 could be used in a German workplace because of all its spying. So a new Windows PC is a tough sell there.
Then there's the "workstation" market. Those people bought UNIX-workstations and moved to PCs when they were cheaper and offered memory management (protected mode). Those are running Linux or some BSD on a PC, or also work with Macs or Windows with cygwin installed. Their future is uncertain, but if everything fails they'll probably move to servers and Raspberry Pis. A PC would have to be much better than the one they are using now to warrant a change... and particularly with things like UEFI that's not likely to happen.
However compared to master passwords, that seems like a really good idea, since once you have physical access to the device, you could as well just pull out the harddisks from the RAID and read the data that way.
...and wanting to solve those problems, as it means a way of expressing themselves. Having your code in a major OpenSource software project gets you noticed and gets you a decent job.
However most of those people are to immature to actually improve the situation. At best they come up with something that has different problems, at worst they open up a new dimensions of problems which will be fixed by yet another project. (see OSS vs ALSA and Pulseaudio)
If I was to make such a "windowing system" I'd take a look at what other, more innovative opterating systems have done. One example is "Plan 9" which exposes (virtually) all APIs via virtual filesystems. So you have a "main" directory which represents your screen, and every window would be a subdirectory. Inside those windows you could, for example, have your GUI elements as individual files/subdirectories. Since this works with basic file IO routines it's language independent and you can, for example, have a GUI toolkit that has elements written in different languages running as different processes. Since you have a file-based interface, you could even set access rights or export parts of that tree over the network. Essentially you get less code and get a much more flexible system. While speed might seem to be a problem when you first look at it, the use of mmap can easily solve that problem. However that's just my view of the world, unlike the "Wayland, Freedesktop, Systemd"-people, I do not think it's a good idea to force this on the world.
FM-transmitters are so simple to build yourself that it's virtually impossible to regulate them.
Broadcast Band II is kinda impossible to use for non proadcast applications as it's to low in frequency and to narrow for serious cellular applications. You could use it for paging... but then again our paging networks are already kinda dying.
We now have whole departments at large companies building management theories to justify that an appliance manufacturer needs manufacturing.
We have people who design developmental guidelines which completely miss the actual problems of developing a complex system and try to squeeze the process into an ideologic framework.
We have bad software taking more work to operate than to do the same job without their help.
We have outsourcing that requires more work to maintain and check the outsorced work than to do the job yourself.
We deliberately solve trivial problems as complex as possible to waste more and more work on them.
In short, we are currently doing a great job at making sure we all still work 40 hours a week, while the same amount of work could be done in 10 hours, by people using propper tools and being well educated and experienced.
As a more professional user I personally do not care much for Windows. However Windows used to be one of the reasons why PCs were so cheap. That way you can spend only a few hundred Euros on a high quality PC, ditch the current version of Windows and install whatever operating system you want.
With the move to Android we see a fragmentation of the market. Every Android device is incompatible to the other. That's why it's so hard to get other operating systems for those. We now even allow hardware manufacturers to lock down their boot loaders to actively prevent you from running your own software.
Well a Win2k or XP with all the security bugs removed would be great. Unfortunately for some reason Microsoft refuses to fix the bugs.
It's an unfortunate trend, that software now seems to remove more and more useful functionality, but still gets bigger and bigger.
Yes, I still believe that this might have something to do with immature programmers. They try to design giant and complex "castles in the sky", but then are unable to implement them properly.
However making product that are supposed to "just work" is responsible for many of those security problems. That is for example the why webcams try to instruct your router to open port forwarding for them.
Well one thing is true, on Unix you move those checks to the domain specific parts at the edges. So in so core of your program you don't have such checks.
However on Unix you also try to have simple formats. Formats that are simple enough they can be parsed with only very few lines of code. If you need more complex structures you try to use multiple files aranged in directories. Inside of a file you only have line based text separated with field separators. Inside the core, where nothing is problem oriented, you only deal with lines and fields.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
