Posts by Christian Berger

What I don't understand...

...the only remarkable product Acer had in recent years was their netbook series. If I was Acer I'd focus on that and try to explore the market.

However what Acer did was to market it towards consumers which are now fleeing towards tablets. If Acer was to bring out a version of their netbooks for professionals, they'd have a rather lucrative niche.

So they compete with identical products on identical markets. The only thing that could count would be reputation, but that's never been particularly good with Acer.

The FBI probably doesn't care

a) They likely already bought the exploit on the exploit market.

b) It's not plausible that they have problems getting to the data, at least not if they are as well equipped as the Dutch police:

https://www.youtube.com/watch?v=AVGlr5fleQA

What they want in the current case is a way to make the attack cheap enough so it can be used on large numbers of people. For a single case extracting the key out of a security chip is well within what Apple would charge for custom firmware.

We need better e-mail software

It's not like getting more secure than gmail is hard, the problem is that todays E-mail software is just horrible.

What it would need to do is to include GPG by default, even commercial vendors can include the unmodified binary without needing to open any of their code, and then apply sensible rules. If the software gets used for the first time, create a key pair. Then sign _every_ outgoing mail with your public key by default. Then store keys of incoming mail and try to make sensible suggestions to the user when sending mail to addresses you already got the key from.

This is actually largely irrelevant

MS-SQL for Windows only serves one purpose, and that's to calm down their customers and users by telling them that even if Windows Server would disappear tomorrow, they could still run their SQL-Server. So there's no need to switch to new fangled web stuff like PHP and MySQL or whatever.

There's virtually no practical use for this, as Linux users won't switch to MS-SQL (there are better free alternatives out there), and MS-SQL users won't switch to Linux.

Yes, but that's not because people want those

It's because in the portable <13" area you can barely get anything else than those things where the keyboard falls off when you want to hold them. So everyone who wants a <13" laptop can only get one of those and will have to live with that bug.

Of course hardware manufactureres will see that as demand for keyboards that fall off, and produce more, perhaps even extending that design flaw into larger laptops.

It's one of the big missunderstandings about the economy. Demand does not drive supply. Supply facilitates demand as you cannot buy things, and therefore cannot express your demand, which aren't offered on the market. So if you only offer X, people will buy X since they have little other chance. Things that aren't offered don't show up as demand in your numbers.

It's not weight they are optimising for

It's cost, that's of course heavily correlated to weight as the heavy stuff of a cable is also the expensive stuff.

Sorry, but we are far beyond that

Since classes of exploits like Rowhammer(JS) we know that sandboxes are only an illusion. It may help against errors, but effectively it cannot help against malevolent code. This is why it's so important that we prevent malevolent code from running at all. In short if you are running malware, you are doomed. The complex layers upon layers of code in modern mobile and desktop OSes do nothing meaningful to mitigate against this, they only introduce new security critical bugs.

The far bigger problem is of course that those bugs found here potentially could be used from the network side.

Yeah you can do that...

... at least in principle. Radio hams often have a device called a "tuner" which loads the antenna in a way to change it's resonant frequency. However to make use of this you also need to change the frequency you are transmitting at... and the antenna can always just have one resonant frequency... so I don't quite see how that could be something practically.

DAB would have some great potential if you get propper equipment

I mean audio takes rather little data, so how about building a radio that just records everything that's on? Such a radio would use the DAB EPG and Radiotext information to make the programme available to you just like an audio on demand service would do...

... however there would be one crucial difference and that's licensing. You would have the comfort of a download service, but the station would only have to pay the cost of broadcasting. So eventually you'd build a library of songs and other programmes on your device, completely legally and at a tiny fraction of what CDs or official downloads cost.

Well that's just a scratch on the surface...

... those modems are also connected via radio to mobile phone networks. Those are _extremely_ complex protocols implemented by very few companies with no security audits at all. So it's very likely that your modem can be compromised with a fake base station.

Such an exploit would be highly valuable as you can make it exploit a large chunk of the market, as those chipsets all run more or less the same code, probably even the same binary code. While on PCs you are still limited by what you can do via USB, on smart phones you have direct access to the RAM of your "Application Processor".

Actually it's not

You just need to learn to use some heuristics. For example how is it presented to you. Is it presented by some corporate droid or is it something you've learned about at a conference? If there's a company behind it, how hipster like is their webpage? Sure those things can be misleading, but it'll remove perhaps 70% of the junk and just a bit of the good stuff. You will see the good stuff again later anyhow.

Then you need to look into detail at what's being offered. Who backs that solution, do they have a track record of abandoning their projects (like Microsoft or Poettering), do they have a track record of over inflating their projects so they will just be bloat with a tiny bit that's of any use?

Then there's the issue of complexity. Will it reduce total complexity? Does it add complexity? Is the added complexity justified by the added functionality you actually need?

Those questions don't take long to ask. And after that you will have eliminated most of the junk. In fact if you have some experience you can even cut it down to "how is this better (i.e. simpler) than the currently best solution I've found that's used by the smart people?"

One should note that Microsoft isn't a homogeneous company

Just like any company of that size they have lots of departments fighting against each other. And the SQL-Server department is seeing that a whole new generation of developers isn't using MS-SQL any more. MS-SQL became popular because it was one of the servers used by the VB and Delphi community in the 1990s. The spiritual successor of those people are the web developers... and those people are almost exclusively using some unixoid system. So it's only logical for them to also offer a Linux version. They obviously don't care about the department that makes the operating system, just as that department doesn't care about the rest of the company (see Windows 8 and Windows 10).

It's nothing surprising at all. Parts of Microsoft see Windows as a sinking ship, that's normal and happens in most companies. In fact it's even healthy to diversify a bit.

They install apps from known bad sources on their telephones?

I mean seriously, RSA can be considered as a known bad source by now, but even installing any additional software from a source you don't _fully_ trust essentially violates the integrity of your device.

Yes some mobile operating systems claim to provide sandboxes your programs are separated in, but new developments like Rowhammer or Cachebleed show that sandboxes can only save you from simple mistakes, but not from a determined attacker. I would expect everyone at a computer security conference to have reached that point of insight.

If the NSA would actually see that as a problem...

... they would mandate for minimal security standards when it comes to SCADA systems. They would, for example, lobby for mandatory code reviews of such systems, including the source of the operating system they use. (That would lead to simpler operating systems as code reviews get more expensive the more code you've got. Less code leads to less bugs and less security vulnerabilities)

Instead the NSA wastes our money for spying on everybody, claiming that it would help them catch that one stupid "terrorist" using hotmail to communicate.

Now if there was a way to talk to people in far away places...

... without actually having to travel, that would render such aerocrafts largely obsolete.

Then you could just meet people via that way... such as it was predicted in science fiction movies like this one:

https://www.youtube.com/watch?v=yqRj3lvvg7Y

It's a shame we don't see programming as a basic skill

We now live in a world where we have nearly as many computers as we have pens. We see writing as a basic skill with literacy rates usually way above 90%.

To make the analogy from books to computers: We live in a world full of books, yet reading or writing is left to a few chosen ones. We see books as magical items which many people think they will never be able to see. At the same time, the literary class is actually widening the gap by making systems harder and harder to understand by making them more complex. UEFI, HTTP/2 and Systemd are just some examples for that.

We need widespread computer literacy!

Don't put microcomputers into cars...

I know we all have been promised KITT, but in reality it only leads to exhaust scandals and car hacking.

Though the car hacking part was already predicted in the 1980s.

https://www.youtube.com/watch?v=kDMLPvBWvpo

This video is in German, but shows off the hacking parts better:

https://www.youtube.com/watch?v=nNKS1rzPkA8

Are there even engineering jobs left in Silicon Valley...

... or to be more precise, such jobs that do not involve killing or exploiting people?

I mean you usually don't need much technical expertise to start a start-up, and even if you don't have that, you can easily outsource it.

As for larger companies, why are you even in a place where education about science and engineering is as bad as in the US? Just open up a new development centre in a country where people aren't scared of digital clocks.

This comes from the company...

...which does not peer with others and charges twice as much as the competition to get to their network. Hosters in Germany already offer you direct traffic under the name of "double paid traffic".

It's getting needlessly complex

Any sane person would just get a couple of large computers enable what ever kind of remote access (either remote desktop or ssh) and just run the already working software that way. Have your home directories stored on some file servers you regularly back up so you can switch to standby servers in short amounts of time.

You don't have to go all "cloud" to offer a centralized service. Offering computing services via remote lines is something that works, reliably, since the 1960s. Even Windows, which was one of the last large operating systems to do so, offers multi-user capability with networked terminals since about 2000. Just set up a hardened Windows 2000 box somewhere and let people log into it.

What's funny is...

...that mobile carriers are messing with their customers traffic for years. Usually they downscale images or add their own tracking stuff, even adding your telephone number into the HTTP request header.

Now they actually do something which has the side effect of being useful for some users there's some discussion.

The problem is that even if you wanted to build a "secure" industrial system...

... the industry will throw their spanner in the works. Essentially you will get industrial systems which can only be controlled by OPC (OLE for Process Control) or if you are lucky OPC-UA, it's cousin which drops DCOM for SOAP.

Seriously, there is no way any of those companies is ever going to correctly implement those systems. There is no way you can run those systems without them having huge attack surfaces.

What we'd need would be regulations limiting the maximum complexity of those systems. The simpler they are the easier they are to understand and that gives people a chance at securing them.

Yeah, but hopefully...

...they won't keep the engineering. Those people know very well that working for a company like Palantir is highly unethical, and Palantir is one of the companies people recognize the name.

So whenever you are talking to "normal people" (e.g. the ones who speak at least 2 programming languages) they will back away or try to argue with you when you mention where you work.

Now those people at Kimono still have the possibility of getting out. This will get harder and harder as the bubble deflates.