Posts by Christian Berger 4850 publicly visible posts • joined 9 Mar 2007
Well as we now know those errors had to be in there, otherwise "deleting your own code" wouldn't have been plausible.
Other than that I find it less plausible for someone just to have one laptop. Laptops are so cheap these days everybody in the IT business should be able to afford an emergency one, or keep their old one when they buy a new one.
"Anyway Windows doesn't force you to sign executables."
Well UEFI "Secure" Boot might force you into getting a signed boot loader eventually. The requirement to be able to turn off "Secure" Boot was removed by Microsoft recently.
And on mobile devices it's even worse. That's the main reason why you don't have a healthy culture of alternative operating systems on those.
... but you simply don't hear about it since that's not in the news. Wasting customer money apparently isn't as bad as wasting tax money.
Anyhow I've seen companies getting extremely bad and overpriced (IP-)PBXes which then simply don't work. In many cases those companies then have centralised IT which means that the supporting company often has a 9 hour drive to get there. I've recently even had an example where a company got their firewall and PBX administered from Russia.
As stupid as it may sound at first, but the choice of operating system on a washing machine tells you a lot about the mindset of the company making it. However keep in mind that even Android is a beacon in the night compared to many embedded operating systems.
Consider of the actual complexity of the "washing machine control" problem and then consider the number of lines the logic would actually need, and then consider how the selected operating system fits into this.
...where laptops are just fashion toys and people gladly give away one of the most important keys on the keyboard for a gimmick they will tire of within a week.
I mean even if you live in the Microsoft bubble the Escape key is important. It's what gets you into the menu of Word and Works.
Just count the number of lines/characters/syntax elements between matching ends of a "block". This block can be defined by matching brackets, or implicit brackets.
So something like if (k==0) {dosomething();}; would lead to something like 3 syntax elements for the first brackets and one syntax element for the second set. (alternatively you could count characters which is less precise but way simpler)
This way the more local your code is, the lower the numbers which correlates nicely with readability.
Of course this makes no statement about actual bugs in the code. However bugs are much easier to find in readable code than they are in unreadable code. Plus this is so simple that editors could include it to evaluate your code as you type.
Well I don't even think that's the fault of the touch interface, but the business model set by Apple where the owner of the phone gets a cut of all app purchases. The owner of the phone mostly cares about them as that's where the money is. It doesn't matter what the user thinks as users usually don't own their phones.
They didn't look into the NSA phone hacking, they looked into the NASA:
https://www.youtube.com/watch?v=vySPJKiSzPQ
The NSA doing mass surveillance in Germany would obviously be absurd that's why that part of the story was dismissed immediately. If the NSA did such things they would surely say so in the questioners we sent them. ;)
it all boils down to the simple rule, "you cannot contain malware on a computer".
If you can run malware it is likely do be able to do anything. Our safeguards are just additional boundaries to make the job a bit harder, which is a good idea, but we shouldn't rely on it.
Unfortunately, recent developments have increased the problem. Systems have gone even more complex than they used to be, greatly increasing the chance of some remote code execution bug which might introduce malware into your system. Javascript may be comparatively easy to sandbox, however it's getting more and more common and browsers do not even enforce a single domain policy.
Plus there are some stupid ideas like UEFI creating hugely complex systems which are easy to be corrupted by malware, but hard to be replaced with something simple by the user.
...is to scan the memory for certain byte patterns... that means you need a list of those patterns... which essentially turns it into a virus scanner for memory.
That sounds like a disaster. Not only will it not help against targeted attacks or attacks from governments/DRM companies, it will open a whole new set of security vulnerabilities. You will have software trying to parse even more data.
...and simply outlaw certain products and protocols nothing will change here.
I mean you cannot design a secure product based on OPC (OLE for Process Control) as it requires insecure components to work with. And even its successor "OPC UA" is a hugely complex mess which probably _never_ will be implemented correctly.
I have considered working at a company doing a lot of industrial control... however I decided against it.
The problem is that the people working there are still stuck in their 1990s mindsets and technologies. Even if they wanted to change, they can't because they are stuck with brain dead 1990s technologies like OPC (OLE for Process Control).
Those people haven't learned about Unix so they think OOP is the only way to go. They even actively work on things like "SCADA in the Cloud".
http://www.waterworld.com/articles/print/volume-28/issue-10/editorial-features/cloud-based-scada-alternatives-traditional-systems.html
Such a work environment probably is completely unbearable to anybody with the slightest knowledge about security. That's why those people aren't found there.
Yes, but the problem probably can be solved by good software design and good implementation. A device must be designed in a way so you can throw everything at it without risking anything dangerous.
The big problem of course is that those devices typically are made for idiots which cannot program. Therefore they tend to use centralized control over those devices which by itself is a big security problem.
Plus as you've mentioned, Cisco kinda has a really bad reputation when it comes to security. The devices are only tolerable on dedicated control networks, exposing a Cisco on the open Internet is a bad idea.
... which is technology wise the same as putting censorship into it, we could also simply use slightly better routers. There are some manufacturers with fairly good track records which don't just reskin the firmware image they get from the chipset vendors. Those manufacturers also release firmware updates for at least 3 years. (more in case of an emergency)
There's a perfectly good "video"-tag. It just works, and even if it doesn't work you can always use an external player. It may not be perfect, but it's _much_ better than any of those special proprietary players will ever get.
The 1990s are over, get over it. Today you can just have an URL to a video file/stream inside a link and if people click it it'll just work.
Just use well designed systems.
Don't use "smart"-phones which are highly complex and let the GSM baseband chip talk directly to the memory of the CPU.
Avoid closed source software.
Try to get your systems as simple as possible.
Educate your users.
A side effect of this is that you get much faster and more reliable systems, which are easier to maintain. Also, if you are a nation state, try to build your own computers and computer chips. If a simple CPU can be designed by a small start-up in the 1970s you surely can do it, too. You don't need to do things like video decoding or 3D graphics on your main CPU, those things can be safely separated into separate chips having their own RAM.
It doesn't matter if he was paid for this or not. It's still not an actual review. Or, to be more precise, all the review is in the teaser.
So the relevant facts are:
no removable battery
no SD card slot
which firmly puts this device into the "fashion" category of devices which look and feel nice, but are of no long lasting use.
My guess is that 3G will shrink dramatically, as it's not very good for data and won't work well with LTE. IoT devices currently are overwhelmingly on GSM, and Internet will quickly move to LTE as soon as operators open their networks to the general public.
GSM will still be around in the long term as it's seen as infrastructure. It also can work easily with LTE, so you can have a combined LTE GSM base station sharing the same frequency. And that might in fact be used for voice in the long run.
If people get VoLTE to run on a larger scale, it'll probably enslave humanity and send back a robot from the future to kill the mother of the leader of the anti VoLTE resistance, or it'll just crash and burn and slowly disappear from marketing brochures.
Absolutely, in fact most of the hard to replace software for Windows I've seen actually was baked into the GUI. It's not even uncommon for Windows services to even have GUI windows. Sure Microsoft warns people against doing that in their documentation... but what developer reads it. (particularly back in the 1990s when developer documentation for Windows was actually expensive)
The Windows world is not as nice as it's shown in commercials. A typical Windows installation is full of 1990s crap which is business critical. It's full of custom database or license servers running as GUI applications. In fact if it isn't, you are likely to be able to easily replace the software with even better free (as in speech) alternatives. That's why the fraction of Windows servers running crap software probably will even increase. The people still running file- or mailservers on Windows mostly do so because they don't know better.
A trade show which no longer exists. Anyhow I've seen a sales droid marketing the many advantages of Windows 2000. The 2 main ones which stood out for me were "harddisk encryption" and "networking", though both were readily available on Linux even back then. Now finally, after 15 years the second point is finally on the horizon and Windows might get some normal networking functionality.
I mean if you have certificate pinning, self-signed certificates are about as secure as official ones. Sure if an attacker can spoof the connection every time you have a problem, but then you don't get the problem of false certificates issued by rogue CAs.
Blackberry never quite knew what they had. If they had only offered a "terminal" mode using an open protocol so you could use the hardware with your own software running on a "terminal server", they might have had a stable market niche. Trying out out-iPhone the iPhone doesn't work unless you are Apple. Even the "I want an iPhone, but I don't want Apple"-market has been filled by thousands of Android devices.
Well unfortunately for me as a citizen I do not care much which nation-state/corporation is behind the device, what I'd want is a counterweight to all of this.
I'd like to have a simple smartphone without all the crap the industry wants to add. I don't want an app-store, I wand a distribution. I don't want some complex OOP-based software engineered system just to store a phone book. What I want is a system that's as simple and modular as possible. Essentially just the Unix-Idea brought to a mobile device.
Unfortunately none of the players in the field give that to me.
Well that actually was a little module in a black plastic case much bigger than your usual DIP case. You can probably cut them open and replace the battery.
The reason they did use something like that was that till a decade ago EPROM was believed to only last about a decade.
"Most of the people I know who have VPN's do it to fool netflix and iPlayer rather than anything to do with privacy."
That's because simple VPNs cannot provide you with privacy. There's still a simple 1:1 connection to you and if you pay even to your bank account. If you want privacy you use Tor.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
