* Posts by Christian Berger

4850 publicly visible posts • joined 9 Mar 2007

Upset Microsoft stashes hard drive encryption keys in OneDrive cloud?

Christian Berger

This seems more like a "get the competition out" feature...

...than a security feature.

I mean obviously if you can get that key back from Microsoft, it's very likely you'll be able to social engineer your way to it. So for the criminal wanting to steal your data that's not exactly much of a hurdle.

However it's a big hurdle if you want to install another operating system in parallel. This system then won't be able to access your data as it cannot get to the key.

John McAfee rattles tin for password replacement tech

Christian Berger

This would be a good idea if

... you wouldn't have to give out objects you have at searches.

Unlike a password, you can legally be forced to give the police your device.

But hey, this comes from John McAfee, the snake oil salesman, it's not like he ever (professionally) thought a security related question through to some extend.

Java 9 delayed until Thursday March 23rd, 2017, just after tea-time

Christian Berger

Re: Whats the hurry?

"We've just had V. 8 and now 9 is already on the horizon? Why?"

Simple, Oracle declared that Java should not be "the new COBOL". That means they have to do everything to not make it become stable (as in unchanging). That's why they follow the idea that new features are always good, even if they are not very useful or well thought out. New means good to them, period.

Christian Berger

Re: Friends don't let friends install Java.

"Lots and lots of Java."

Yes and that's usually the problem. Java programmers tend to solve problems in over complex ways. When you would usually write a small program to do the job, they write thousands of lines of code, trying to build some grand architecture... which is then lacking crucial features while providing features nobody wants.

Plus there's the problem of incompetent Java programmers. Some programmers seem to assume that Java somehow magically fixes all their problems. A nice example is a project I worked on. Some protocol requires the client to send a 32 bit unsigned integer as a text to a server, that server then responds with that integer. Both times the integer gets sent as a text field in a JSON message. On the first tries we have found out, that it only works approximately 50% of the time. Debugging it, we found that the server responds to numbers above 2147483647 with negative numbers. A classical integer overrun. Java could of course protect you from this, but it doesn't. Integer overflows are even baked into the standard. Modern Pascal, for example, does it differently. It allows you to turn overflow checking on or off. If you turn it on, you get an exception in case of such an error. Overflow checking is much easier to do on the compiler level (it can use the carry flags of the CPU) and takes virtually no time to do. A branch not taken only takes the time to load the opcode from memory... which is usually done in parallel to the other functions. "modern" CPUs will then just "run over" the branch and back track in the rare case that you had an overflow.

New HTTP error code 451 to signal censorship

Christian Berger

Re: IETF were not persuaded is was a good use of a limited number of status codes

"But what the browser do? "

Route the request via a different route.

Juniper 'fesses up to TWO attacks from 'unauthorised code'

Christian Berger

One should note...

...that this bug really smells like it comes from the NSA. After all it's in their random number generator.

And Juniper (claimed to) fix(ed) it, nobody knows if it's still in other equipment.

Hillary Clinton says for crypto 'maybe the back door is the wrong door'

Christian Berger

There is a way to do this... encourage bug doors

The non-suspicious way to add back doors to your system is to encourage the creation of bug doors. Once a system reaches a certain level of complexity, mistakes will just happen. And the more mistakes and bugs happen, the more likely it is that those will be exploitable. Just invest into code reviews and there you go, back doors for free and everybody can easily claim they did it on purpose.

Doing this is comparatively easy, encourage complexity increasing ideas like the Stroustrup-like OOP, discourage simple solutions to trival problems. Eventually you will raise a generation of "Poetterings".

A nice side effect is that the "market" for software will become more monopolized. Having a highly complex logging system means that it becomes harder to re-implement it.

How long until we can build R2-D2 and C-3PO?

Christian Berger

I'm pessimistic about this

Whenever I'm looking at modern IT, I see trivial problems solved in ever more complex ways. At the same time there's less and less sensible computer education.

Firefox-on-Windows users, rejoice: Game of Thrones now in HTML5

Christian Berger

Could be cheaper

"Despite my DRM objections above, it's crazy cheap and convenient. I can't see how it could be any cheaper for the service."

Well DRM systems are rather expensive. So ditching it could easily lower the costs. Also it would make the market explode and lower costs because the one off costs are more easily recovered.

A good example for this is broadcast television. It manages to produce a variety of different contents for a comparatively small fee. And obviously it's DRM free.

GOP senators push FCC to kill support for local broadband

Christian Berger

Re: Do It Yourself

Well the problem is that in civilized and densely populated countries you already have a dense network of fibre optic cables you can rent at reasonable prices. Plus there are Internet Exchanges where you can peer cheaply with other providers.

So effectively you are not going to get any decent uplink at a decent price. That's one of the big problems small ISPs are facing in the US.

Christian Berger

"Private companies give a better service at a cheaper cost than government ever could, so of *course* they shouldn't have to actually *compete* with government"

I'm sorry, but I hear this over and over again. So far I have only seen counter examples for this. For example the state run telephone company in Germany used to run the most modern and most reliable network in the world, now that Deutsche Telekom is privatised we are lacking even behind eastern European countries. Back when Deutsche Bahn used to be a state run company, the trains ran reliably and "unpredictable" events like heat in summer or snow in winter were no problem at all. You even had telephones on trains, and they worked!

Is there _any_ example where privatisation actually improved the service?

Christian Berger

Natural monopolies must be in the public hand

Seriously, the lines into peoples houses should, just like the roads leading to them, be in public hands. Essentially we would need government agencies to build or order the infrastructure and then either do network access or telephony themselves on those networks, or lease them out to other companies.

Strict new EU data protection rules formally adopted by MEPs

Christian Berger

Can't be a significant improvement...

...otherwise Google and Facebook would be up in arms against it.

Nokia, ARM, twisting Intel bid to reinvent the TCP/IP stack for a 5G era

Christian Berger

Please don't

If they already start with buzzword bingo the result is likely to be just a failure like HTTP/2.

The whole idea about Internet protocols is that they are easy to implement by anybody. If you don't have a diverse range of implementations you end up with problems like Heartbeat or NTP vulnerabilities. To have a diverse range of implementations you need to have very simple protocols. The simpler the protocol, the better.

"Optimizing" a protocol for any special usecase, i.e. mobile telephone networks, only means increasing the complexity while increasing the barrier for competitors to enter the "market". In the end you'll have some very few implementations with one or two which are good, while the rest is to bad to be used.

Whisper this, but Java deserialisation vulnerability affects more libraries

Christian Berger

I wonder what sort of mind set is behind this

I mean seriously, it's _never_ a good idea to store your internal data structures, whether you use simple memory copies or deserialisation methods from your language.

Even if there were no security problems with this, you'd still make it needlessly hard for someone using a different programming language to interface with your software.

New edition of Windows 10 turns security nightmares into reality

Christian Berger

Re: IoT = Internet of Trash?

Well usually that's because it makes sense in some way (think of ticket vending machines, reporting back how many tickets they have sold, or how much paper they still have and when the money needs to be emptied out), but you have no fucking clue how to design such a machine, so you slapped some VB GUI onto it running with Access as a database. You perhaps even have some self-drawn user interface eliminating all the remaining advantages of Windows. Instead of getting a competent programmer to re-implement the whole thing in a couple of days, management decides to throw good money after bad and just put the existing system onto the Internet.

Christian Berger

The problem is complexity

If you choose to use Windows as an underlying operating system, there's _lots_ of complexity you cannot turn off. For example you have a full network stack you may or may not need. You have a complex boot system, you have a registry or logging system, you have a shell, you have USB support, etc. All of those features may be use full for your project or they may not. In any case it's pseudo dead code which is of little use, but may turn out to be a security problem.

If you want to have secure systems, you must have simple systems. That's more a question of your mind set rather than a question of your language... however there seems to be a correlation between people using C++-style OOP languages (C++, C#, Java, etc) and people who don't know how to simplify problems. Therefore it appears that most C++/C#/Java programs become horribly complex and unmaintainable.

Christian Berger

Actually there's plenty

For example my neighbour has an Internet connectable oven. It's a bit like Internet connected TVs, nobody likes them, but at a certain price point those features seem to become mandatory.

In a way most ATMs are IoT devices as they are connected to the Internet. Often ticket vending machines are. Even those ad-displaying devices commonly known as "smartphones" are more or less IoT devices.

BTW, there is an easy heuristic way to spot the Windows IoT device. If you interact with it, and _you_ have to wait for _it_, it's usually a Windows device. That's not because Windows is slower, but because there is a strong correlation between people who have no idea how to design embedded interactive devices, and people who build IoT devices on Windows. (The same will probably eventually be true for Android based devices)

Microsoft encrypts explanation of borked Windows 10 encryption

Christian Berger

Re: Decrypted :

Decrypted: "We have no ****ing idea what happened as Windows is even more complex than gnome with systemd, but as we find out what department it it that messed up, we need to say something."

VTech's Android tablet for kids 'hopelessly insecure'

Christian Berger

There is no protection against physical access...

...at least none that's implementable in any sensible way on a budget, but that's actually not really much of a problem. The insecurities of Android are not that you could dump the Flash when you get your fingers on it, the insecurities of Android are that it's so complex it probably has lots of remotely exploitable security holes in it, in addition to any vendor built-in back doors.

Popular 3G/4G data dongles are desperately vulnerable, say hackers

Christian Berger

Well, but changing firmware from the user side is a feature...

...not a bug. Not being able to change the firmware myself would be a bug as it would keep me from updating/modifying my firmware as I wish.

An actual bug would be if the operator/manufacturer could change the firmware without my consent... unfortunately the operators and manufacturers have a different view on this.

Mozilla: Five... Four... Three... Two... One... Thunderbirds are – gone

Christian Berger

> Also for those demanding 1990s style mail there is always SeaMonkey.

Wait, I always thought it was the vision of the GNOME/Freedesktop people to create a 1990s style world where everything requires some complex IPC mechanism and nothing is just plain text anymore. I thought that with Unix and PCs and Linux this time was past.

If a picture tells a 1000 words about latency, Google won't load it

Christian Berger

So far you rarely wait for images

Most of the wait for webpages to load is for DNS queries to go through because some idiot thought it would make sense to use some bloated Javascript from some other domain.

Microsoft wants to be your phone company, at least for voice

Christian Berger

Re: Not as simple as it seems

The problem is that most big companies in that business care much more about certifications than getting their SIP stacks to work properly.

With decent kit and decent VoIP providers setting up a line with DDI is no more effort than choosing the company in a drop down field and entering your username your password and your number range.

Cartoon brings proper tech-talk to telly

Christian Berger

Well it shows effort

The writer may have had no idea of what they were writing, but copying techno babble from some sales brochures and having someone with a bit of knowledge looking over it is a big step forward from what we are used to.

It's in a way a new wave of film makers who actually care about what they are doing. That combined with a talent can make wonderful things.

If you don't have talent what you get is this: https://www.youtube.com/watch?v=fGJTj9mscrg ;)

TV broadcast vans drive ESA from Perth

Christian Berger

I always liked the name of the UK ground station

"Goonhilly" has a really fun ring to it.

Meanwhile some dish-porn from the German equivalent station to Goonhilly.

https://commons.wikimedia.org/wiki/Category:Erdfunkstelle_Raisting

Why Microsoft's .NET Core is the future of its development platform

Christian Berger

Embrace, Extend, Extinguish

That's one of the standard strategies used by Microsoft. They already did that with the web, now they try to do that with the rest of computing.

Here the strategy is clear, they want to have more .net people working under Linux. Those people usually have the C++/C#/Java mindset which, which has been criticised extensively in many places. In short it leads to projects having lots of code, which take lots of developer resources to develop and lots of resources to maintain. This is why, while you can develop a simple unix flavoured operating system in less than a man year, C++/C#/Java projects typically take large teams and just go on and on for ever.

This is in a way very dangerous of the free software community. While it can currently afford to sustain projects with entities like the Mozilla Foundation, nobody knows what the future will be. Without a large (non profit) company like Mozilla, projects like Firefox would probably quickly disappear as you need large teams to maintain them. In contrast, the BSD people show that it's possible to develop and maintain a whole operating system with just a hand full of people.

Cat discovers GNOME desktop bug

Christian Berger

Not quite

The problem is not which tool kit to use, but using a complex tool kit at all. That's why, traditionally, such screen savers and screen locks didn't use a tool kit at all, they were written with raw X11.

Once you have some graphics tool kit you will always have features you want to have in a normal application, but not in a screen saver. Thinks like accessibility functions or spell checkers.

The big problem however is that screen savers used to be secure before the Freedesktop tried their hand on it.

Kids' tech skills go backwards thanks to tablets and smartmobes

Christian Berger

They don't use computers the way they are intended

They use computers only as media consumption devices. Instead of using computers with their full potential, which also means writing the occasional small program, they just consume mindlessly.

Eric S Raymond releases hardened, slimmer NTP beta

Christian Berger

OpenNTP has its uses, however...

OpenNTP is great for keeping a rough time of day on your computer, however it's not meant to be more precise than 50 milliseconds. It apparently doesn't even compensate for drift.

Also OpenNTP doesn't allow you to have hardware time sources, so you cannot use it for time servers. It's just meant for the 90% of people who can tolerate having a clock that's 50 milliseconds off. The rest of the people still had to use ntpd with all of its security holes.

Particularly the ability to compensate for drift is getting more and more important. It allows you to synchronize systems via IP. That way you can make things like small scale DAB transmitters running on Raspberry PIs or even rented virtual servers on the Internet. Since all the clocks of all devices run at the same rate, you will never have buffer over- or underruns.

Microsoft working hard to unify its code base, all the way down to the IoT

Christian Berger

Actually that's bullshit

Running the same code, or even code written in the same language on different devices is not very important. In fact if you do so you will most likely encounter certain problems:

1. Your protocols and data formats will be rather badly defined, you might even just copy blocks of memory around (in languages like C) or use the dangerous serialisation and de-serialisation methods your language provides (for example in Java). Even in less bad cases your format will be defined by code, not by some specification you wrote. That's usually a bad idea.

2. You will encounter certain problems. While it may be possible to code firmware for a micro controller in your unified language of choice, you will certainly hit hardware limits much earlier. Storing even a 10 kilobyte runtime on your controller means having to choose one with at least 16 kilobytes of flash when one with 2 kilobytes would have done otherwise. That's many cents per controller.

3. You don't actually gain much, as all the cool features you like from your favourite language won't be there in the down sized embedded version. Or if they are available they consume more memory than you have.

However I can see how such an idea might look appealing to people in the Windows world. There you often have binary file formats or XML. Getting data from one program to another is already hard if you use the same programming language, inter language communication between programs is largely unknown. Windows people never grew up in a world of simple reusable tools which use simple text formats as an input and similar formats as output.

In a way standardizing on one language/codebase is like standardizing on one graph:

http://dilbert.com/strip/2015-11-18

Yes, GCHQ is hiring 1,900 staffers. It's not a snap decision

Christian Berger

Re: "those who would destroy us and our values"

David Cameron probably is one of the people where the worst rumours still would make him look much better than what what he's actually doing right now.

Or to express it in another way, having sexual intercourse with a pig would be, in my opinion, far less morally bad than using dead people to advance your own goals to gain more power.

It's Gartner Magic Graph of Wonder time! And Google won't be happy

Christian Berger

Re: Gartner

I'm rather sure that those predictions depend more on how much money those companies spend on Gartner predictions. That's why companies like Mitel aren't in the "utter shit" quadrant, despite of selling kit that's to buggy to even be testable.

Hackathons: Don't try them if you don't like risks

Christian Berger

Hackathons are not here to benefit companies

A company sponsored hackathon is a perversion of the idea. Hackathons are part of the hacker community to gain and share experience, not a contest to outsource the work nobody can do at your company.

Most developers have never seen a successful project

Christian Berger

Again I don't think it's methology

The main problem is that most developers have not learned how to look at a problem, skin it down to its core and then implement that core in a way you need as little code as possible. Then you have a prototype you can test, modify or downright abandon and start all over again. Even if you abandon it you won't have lost much, as making such a prototype costs very little time, usually much less than trying to fudge around a badly designed system. Then if you have a core that works, you start hanging new features onto it. Often you will find that this gets much easier than your original proposal of having the feature in there in the first place.

The most important aim in software development has to be the reduction of complexity. Try to keep your code as simple as possible, try to keep interfaces as clean and elegant as possible. Don't try to optimize unless it actually makes sense.

GCHQ goes all Cool Dad and tags the streets of Shoreditch with job ads

Christian Berger

Re: This is the best art they could do?

Yes, but what if it's the only job you can get?

Christian Berger

It almost sounds like a strategy...

Please allow me to put on my conspiracy theory hat. :)

You first make sure that the country is in deep trouble by privatizing infrastructure and bailing out banks, then you invest into surveillance to suppress the masses rightfully demanding a piece of the cake. Then, since there's mass unemployment, it gets much easier to find people for suppression.

Seriously enjoy one of the few good parts of Europe while you can. Europe allows you to simple work everywhere within the EU. Particularly in IT most of your new colleagues will speak English so you can start with just a basic understanding of the local language.

Here's one example:

http://www.hfo-telecom.de/karriere/stellenangebote

They are searching for a software developer full time.

Boffins teach Wi-Fi routers to dance to the same tune

Christian Berger

Verry sensible, though you'd expect that already to be implemented via LAN...

...at least on larger installations.

UN privacy head slams 'worse than scary' UK surveillance bill

Christian Berger

The UK surveillance bill...

...shows again that the UK is not a free society. Taking part in any democratic process requires the option of anonymity. Without it you cannot fight back against oppression.

If the EU was not just about helping banks and big companies, but democratic values, the UK would be kicked out of the EU. (also the EU would abolish its commission)

So. Farewell then Betamax. We always liked you better than VHS anyway

Christian Berger

Re: Wow

Well Sky probably used something called BetaCAM, which uses the same tape format (at least in the small version) but a completely different tape and electronics.

http://betacam.palsite.com/

There's been a succession of formats with the Betacam label, they are digital and HD now of course:

http://www.videocation.com/Sony_HDCAM_Recorder_HDW-M2000_HDW-M2100_HDW-D2000_ofr.html

UK's internet spy law: £250m in costs could balloon to £2 BILLION

Christian Berger

What about companies trying to get people to come to the UK

I mean seriously, under those laws most IT people wouldn't want to ever come to the UK again. OK the effects on the tourism industry probably are negligible, but what about companies like Dyson which actively try to find the smartest engineers where ever they can?

We’ve got a leak of the European Commission's copyright plan

Christian Berger

It's actually a sad thing how Europe has developed

The only interests which seem to have been considered were the ones of the banks and large companies.

I mean look at this show from 1973:

https://www.youtube.com/watch?v=oGYxwvzSG4A

This is a Dutch show master singing that borders are a "stupid idea"... only to list the countries this show is shown in live and delayed.

Today television is incredibly local. I know it may sound weird to you, but for example Doctor Who doesn't run on German TV. The only way we can watch it is via Bittorrent. I couldn't even subscribe to Sky, only to Sky Germany... which is mostly sports and some bad movies.

As mentioned above, it used to be much different. There was a time when there was true European TV. A time when you had Cartoon Network Europe transmitted in clear over the most popular European satellite position. There was a time when the Luxembourgian TV station Tango TV showed English language Simpsons episodes for all of Europe to see.

Top FBI lawyer: You win, we've given up on encryption backdoors

Christian Berger

Probably not

"So is he really saying they had a breakthrough and cracked currently available encryption?"

No, but the vast majority of people is using equipment already back doored by the manufacturer and using cloud services. From there you can simply get it with a "national security letter" or something.

Also modern mobile operating systems are so vastly complex, that they are full of bugs and therefore probably full of security bugs which can be exploited.

Google engineer names and shames dodgy USB Type-C cable makers

Christian Berger

So... the news is USB doesn't work in real life...

... I always thought we'd knew this since the Microsoft demo which crashed their Windows 98.

Seriously, USB has so many flaws. For example the electrical side is not properly symmetrical. There is no galvanic separation which makes ground loops a problem. The software side is highly complex and uses 16 bit Unicode as the text encoding, probably the last place left doing so.

PC sales will rise again, predicts Intel, but tablets are toast

Christian Berger

Re: The future of the PC is not with Windows 10

"Professional users do use professional software."

That's exactly my point. Yes you could get a cygwin environment with vim, awk and all the normal Unix tools... but that's just a hassle when you get the same from any Linux distribution. Just try to make active filter design on a Windows box where your simulation software has to be manually run for every simulation. On a normal unixoid system you can execute your SPICE on a command line and write a small program around it which runs all night and presents you with the optimal solution in the morning.

Christian Berger

The future of the PC is not with Windows 10

Microsoft has made clear again and again that they do not care about the desktop any more. That's why Windows 8 and Windows 10 had a GUI geared towards tablets.

The future of the PC is with professional users using Linux. Essentially it's the "workstation" market, which, for a while merged with the PC market, and now essentially is mostly covered by PCs running Linux.

A bubble? No way, we're in a bust, says rich VC living in alternate reality

Christian Berger

Interesting article

Interesting article, however one line strikes me as odd:

"And that real value will be built through really good technology, which will be built by really good engineers."

I don't think the "good engineers" get even close to the Silicon Valley of today. The only interesting jobs there are morally bad, like weapons research or optimizing attention for ads.

Intel puts cash behind Wi-Fi-first smartmobes

Christian Berger

Sounds like an N770

It's advantage was that it didn't have GSM so it could be built and sold without the permission of mobile operators. It's disadvantage was that It didn't have GSM, which meant that you had to carry around a mobile phone and use Bluetooth to connect to the Internet.

Edit: Sorry, I mean the N770

Sennheiser announces €50,000 headphones (we checked, no typos)

Christian Berger

OK... tube amplifiers

Seriously that's what actually debunks it. It's not precision device, but instead a "musical instrument". That's not bad by itself, but you have to keep in mind that it's obviously made to change the sound in a certain way instead of trying to give you an as good as possible representation of what's actually there.

That's BTW why studios typically use headphones in the range of 100-300 Euros.

Linus Torvalds fires off angry 'compiler-masturbation' rant

Christian Berger

Yes, but it may be one of the few cases of him being wrong

There's a rather good argument that he's wrong. Essentially using the compiler built-in function is more efficient and in a way more readable as everybody understands what this code is about. (checking for an overflow)

Overflows are one of the hard parts of C(++/#) and even Java.

Here is the full argument by someone who professionally finds integer overflows:

http://blog.fefe.de/?ts=a8c95274 (In German of course, this is about computing after all)