Posts by Christian Berger

The point is not to match skills

...because companies usually have no idea what skills they need.

The point of education is to provide people with the ability to learn the skills they happen to need when they need it, plus the overview over the whole field so they can decide what technologies are the obvious traps and what technologies are actually useful. Of course vendors of crap technology see that a lot differently. :)

Teach people how to think, introduce them to as many fields as possible, that's the purpose of school. The purpose of university is not much different just the fields are a bit narrower.

Data protection has the rank of a human right in Germany

Back in the early 1980s there was a constitutional court decision that derived data protection as a basic right. So it essentially it's the same as the right for property or the right to maintain your body integrity.

Those "Sharing Economy" companies essentially want the legal equivalent of organ donation squads. Just like I have the right to not be cut open by someone, I do have the right to not have to give my data to someone.

Wait, but laptop still have LCDs

Even though todays LCDs need almost as much power as plasma or EL displays, the TFT panels we have now are technically LCDs.

It's a question of political will

For example in Germany in the 1980s there was a project called BIGFON, it was designed to explore the possibilities of the (then news) fibre optic cables for use in subscriber line. The idea was to give every subscriber 280 MBit/s downstream and 140MBit/s upstream and once testing was successful and suitable standards were found, to go ahead and provide that kind of service to everyone in Germany. Even the money was already there from profits the post office made...

The project was aborted for political reasons. The results can be seen now. Most Germans don't even have access to one megabit. The German telecommunications equipment industry is _far_ behind the competition. You cannot buy a German equivalent to a Cisco. Companies like Siemens, which used to be on the forefront of innovation, didn't feel any need to innovate any more, so development stagnated to a halt. Gradually you had the choice between equipment from Siemens, or equipment from the rest of the competition, which had more capacity with less rack space... and was cheaper. So Siemens regularly sells off their innovative departments when they fail to meet arbitrarily set goals, which then go bust because they don't have the momentum to survive.

Investing in those projects has long lasting effects, even far beyond the actual project. If Singapore wants to have an advanced cellular network, they will need lots of network engineers. They will have people who are inspired by this to go into engineering and those people will get jobs.

The interresting question is: Will it be a common platform

Unlike mobile phones which are usually sold along with the OS, selling a server which can only run one (version of one) operating system is a hard job. People want to choose their own operating system. For this you need sensible ways to make sure one OS image can boot on all machines... at least enough to enumerate the hardware and load proper drivers. (which for security reasons cannot be closed source in many companies)

If such a platform emerges, there will be a chance that it'll be used outside the server business. For example for workstations or "high-end" mobile phones. If we had that, we'd finally be able to run one image on multiple phones and finally have some competition and progress in the mobile area.

The problem is that cloud services are allowed for such things

I mean particularly with IPv6 all of those problems could be solved easily at home. If you want to look into the fridge while you are out, just press a button on it, it'll display its IPv6 address and a one time authentification token on its display (perhaps as a QR code). You snap it with your phone, decode the QR code and use your browser to access it. No cloud service necessary to spy on you. Since it's IPv6 you can have your public IPv6 address there and it'll just work.

However in any case, the main problem is that such solutions require a minimum amount of effort and competence. Current systems are catered to people who have no idea of what they are doing.

It's like a fish taken out of the water...

... it struggles to live on, but clearly it's likely to die anyhow.

The times when Windows upgrades happened automatically, because every n years more new PCs were bought than there already were, are over. Since roughly a decade PCs have a useful lifespan of 5-10 years. Additionally most of the Windows software in production use today was written in the 1990, full of technologies which seemed cool at the time, but now are long obsolete and often not found in current versions of Windows. One example is DCOM which is crucial for industrial applications.

It's foolish to build a new system based on Windows. Even if Microsoft survives another decade, they probably will regularly break your software by force upgrading computers to a new version of their OS.

There's a good and a bad side to this

The good side is that it makes it easy to make your everyday transactions anonymously. This is important in any democracy.

The bad thing is that "suitcases full of money" actually exist and are a common form of money transfer for large illicit purchases. Back when Swiss still had anonymous accounts, it was not uncommon to have people drive over the border with huge amounts of cash.

So ideally we'd get rid of high value denominations. Getting rid of everything above 100 Euros/Dollars would turn one suitcase of money into 5 or 10, making this kind of illegitimate transfer much more cubersome.

This also applies to that car from the sci-fi series where they travel back in time...

...you know, the Lada Niva from Návštěvníci.

https://www.youtube.com/watch?v=_rm4ciogF3s

I guess the reason is that, as mentioned in the series, it still runs on petrol.

Looking back those machines weren't that slow

Sure at our school we had a Xenix system with around 30 terminals on a 386 which did get slow when 30 pupils were hacking away in Works for Xenix, but then again many modern applications are just as slow on modern hardware. I have seen KMail not keeping up with my typing speed. I have seen computers taking minutes to load the work processing application.

Maybe the reason for this is just bloat as suggested by this talk here:

https://www.youtube.com/watch?v=Nbv9L-WIu0s

If every product on the market is the same

your market will be like the one for sugar, the cheapest seller wins.

I mean seriously please differentiate. Build mobile devices which are different to the others. For example mobile devices that are easy to fix and can run any operating system you want. Perhaps devices with a keyboard, perhaps devices which don't follow the brain dead idea of having the front being a full sheet of glass which fractures at the slightest drop.

In a way a problem of botched mass education

Imagine everyone had some meaningful IT classes during their school career. Surely most would know nearly nothing about it when they start working, however you still have a basic idea about it in the heads of the people. Over all, it's likely they will get a feeling about what's easy to do and what's not.

And this is the big problem about many software projects. People don't have a feeling for how hard something is. That's why they often choose unnecessarily hard ways to solve a problem. At least that's one problem, many programmers also try to cut the boredom by trying to make their work challenging, unfortunately usually beyond the point of their own abilities. The earlier you have started to program the more likely you are to be beyond this point and just write software as easy as you are able to.

Democracy requires the option of anonymity

particularly when you deal with issues regarding forming an opinion. This is one of the most basic rights in any society.

We do accept number plates on cars since driving a car usually isn't a form of political expression, however you can potentially harm other while doing so. This is something completely different, though there are edge cases where you are driving with a car to a demonstration or something.

A completely open society won't work either, since certain people can just create new legal persons (companies) and use those to obscure their actions.

Well it's RSA

They sell closed source "security" solution... that alone would be a reason to not trust them as finding back doors is incredibly hard there... plus they have a track record of actually working with the NSA to put in back doors.

No! You _must_ blame them for trying!

Not blaming them for trying is like not blaming a bank robber for trying to rob a bank. The GCHQ is paid by the people, so in a democratic society it must not turn on them.

The GCHQ is not some child testing its limits, they are the ones who _claim_ to be the good guys. They are the ones who, by their own standards, must never do such a thing. They are the ones who claim to protect you. Trying to reduce the level of encryption, and therefore security, is exactly the opposite.

The problem with this will be...

... that people have been trained to make highly complex interfaces like SOAP or whatever.

This concept only was able to be so successful on Unix because the interfaces were dead simple yet incredibly efficient. Take a look at sort, it can sort any kind of dataset. It doesn't need to be adapted when you change your dataset as long as it's tabular data with one line per dataset.

It's little use splitting your task into several if most of the complexity will lie in the interface between them.

There seems to be one area where self regulation actually works

...and that's ransom ware. They do have very good customer service so you do get your data back when you pay.

Whether or not we actually want to have that particular business model is a different question. Unfortunately we do have to little regulation in that regard, that's why, for example, companies making DRM are still legal.

Will there be a common platform

The big problem about ARM right now is that virtually every computer requires its own OS image. While on PCs you can boot your OS on virtually all PCs with just 2 images, ARM systems are incredibly diverse.

Seriously on a PC you can blindly access some ports and you will always find a serial port. Same goes for basic graphics, USB, SATA or whatever you could wish for. And for things that do not have fixed ports you can query the devices in a standardized way.

This needs to be established first before we can think about having ARM servers. There's no point in having one that can only run version X of operating system Y.

Hopefully eventually such a standard platform will move into the mobile world. This would finally mean that you could choose your operating system independently of your manufacturer. You could even update your software without it. Suddenly a mobile device might actually be useful for a longer period of time.

Running your own firmware is not a security problem, it's an essential right you have

The problem in this case was that you could change the firmware without being physically at the device. A simple button, or in fact a timer that only allows firmware updates for the first n minutes after booting would have solved that problem.

Of course this is an easy find. Just look at the firmware images, take them apart and change them before putting them together again. Installing the cross compiler to make your own binaries to put into that image is more complicated than that. Many people who want to start a carrier in security or who want to promote their security outfit just bring that out purely for promotion. That would be perfectly al right if it wouldn't set the idea into peoples mind that running your own firmware is a security risk.

Let me put it in another way. What they did is to change the firmware and remove the update function. A legitimate user might do exactly the same. First remove all the junk from the firmware you don't want (i.e. the calling home functions) then remove the update function so nobody would install the less secure vendor provided version again. Removing functionality is relatively easy and it can bring you a great security benefit.

Again, running your own firmware is not a security problem

Sure, firmware updates over the Internet should use HTTPs and perhaps some checksumming to check if you really have the firmware you wanted, however putting your own firmware onto a device is a right you have, not a security bug.

I've seen the talk

First of all, if the discovery process really happened as described... that was the teams first attempt at hardware reverse engineering... and they obviously had nobody to ask. If they had asked someone they could have skipped several time consuming steps.

Then again, running your own firmware on a device is not a security bug, it's a vital feature to keep you from having such bugs. Only then can you develop alternative versions without vendor induced back doors. The KVM manufacturer did everything correctly by enabling firmware updates only via the serial port. It may actually even be impossible to update the firmware via USB as the microcontroller needs to run the USB stack which it might not be able to do while flashing firmware. (in short on those boxes you cannot update the code you run so you are limited to a small "bootloader" memory)

So the only problem would be IP-KVMs, which they haven't looked at. Obviously you shouldn't connect them to a public network, just like you shouldn't connect your normal KVM to a public network. The whole point of having such a device is to have a separate channel to your servers from the network.

And please don't link to ackward to use websites like Youtube when there's a perfectly simple download link at the official video location:

https://media.ccc.de/v/32c3-7189-key-logger_video_mouse

No it was pole vault training

At least to this news report from a respected German source:

http://www.der-postillon.com/2016/01/erschutterung-in-nordkorea-laut-cia-nur.html

Uhm, that's what Digest Access Authentication is for

https://en.wikipedia.org/wiki/Digest_access_authentication

Essentially it means that you'll never send your password over the connection, but only random numbers and hashes. This is a feature in HTTP which is there for probably over a decade.

It's to early to provide solutions... provide canvases instead

I mean look at 1980s home computers. Those weren't "pre buildt" machines. They were computers which, when you connected them and turned them on, provided you with a (more or less) blank screen you could program on. You could just start typing, and program them. You could even just enter a single line of program into them and they would just execute it. All thanks to the magic of BASIC.

The company making that computer did not tell you what to do with it, at best it gave you suggestions. That's why you suddenly had a Cambrian explosion of uses for computers. While before that your computer would be used to hunt down oppositional forces or organizing a funeral, you could now do lots of different things. You could hook up a robot arm to it so it would drop an egg onto your breakfast table or simply play a computer game.

This is what's missing in the IoT world today.

The Dutch had a special problem when it comes to IT security and governments

They once had a census. It contained lots of question and was made with the back then state of the art technology of punch cards. One seemingly harmless question was "religion". Surely there can't be any harm in that can there?

Well some months later the Netherlands were invaded by Nazi Germany. So the Nazis went to the governmental offices, got those punchcards and threw them into a sorter and a tabulator to get nice lists of all the Jews... that's why the percentage of Jews in the Netherlands killed back then was so high.

So you don't store data you don't need on your servers. You don't weaken encryption so you can store more data about your people. It's just bad, even if you do it with good intentions.

Wrong security model

The whole idea behind the "security" of such a games console is that people cannot pirate games or sell games without a license. That's the whole idea about all of this.

There are 2 people who want to break your security system. The first is people who want to pirate games, the other is people who want to have control over their hardware, for example to run Linux on it. Experience has shown that it's the second group you have to worry about.

The PS3 has the ingenious idea of just keeping the second group happy. You could run Linux on it right from the start. That's why the second group was pacified so it wouldn't look at your security systems. So even a trivial system was good enough to defend against the first group. Then however the PS3 slim came which removed the capability to run Linux. This angered the second group to find ways to regain their right... which lead to exploits... which lead to pirated games.

I know managers and executives at that level rarely think things through, but they should know by now who their enemies are. Declaring your customers to be your enemies is not a viable long term business strategy, though in the mid term it might work. Just look at BluRay sales, which only took off after you could rip those disks, or DVD sales which did the same (though a bit delayed as hard disk sizes had to increase first), or online music sales after the DRM was lifted.