Posts by Christian Berger 4850 publicly visible posts • joined 9 Mar 2007
In the linked document it says, that Verizon actually said that they would only remove the throttling after they move to a more expensive contract!
BTW this is not likely to have any consequences for Verizon, they are a monopolist and do not care about how they are seen in the public.
"However, if you use their DNS servers (and most people do), they can track where you have been on the Internet."
Well but they can see the destination address of the packets going to their routers. And obviously those packets have to pass through them as that's their business model. I hand them over IP-packets for them to send to the Internet and get packets from the Internet to me back.
Your DNS belongs to your ISP, they can just as well sniff all your traffic.
The only danger would be for users for remote DNS resolvers like 1.1.1.1, 4.4.4.4 or 8.8.8.8 or that Cloudflare DNS over JSON over HTTP over TLS thingy. Those are likely to be logged by both the provider itself or by third parties.
Tampering with DNS works for censorship, however bending sites to different servers is made hard/impossible by TLS.
In any case nobody will go through the trouble of sniffing DNS. If you want to get data on your users start a web service or some web framework hosted on your servers and use the logs.
Essentially Android used a fully featured OS and cut it down PDA style. From a users point of view there is not even a filesystem left, and users are expected to "sync" their devices to cloud services, just like traditional PDAs had to be synced via special software.
All the security mechanisms protect business models, not actual user security, so once we get rid of the malware store (and have something like Linux distributions have) we can get rid of that, essentially allowing users to become root on the devices they paid for.
Ohh, but Fax machines interpreting JPEG are actually very rare. Yes, it's in the standard, but so far I've only seen a Samsung one actually doing it.
BTW you can find out if your fax has such features by looking at the capabilities it announces diring the negotiation phase. Most laser fax machines have some "T30-Trace" feature to print out a commented debug trace of your session.
"It doesn't really make economic sense to have a fax machine physically they days just based on the line rental costs."
In civilized countries, companies have a trunk telephone line anyhow, so a fax machine only uses one port of your PBX which you usually buy on boards containing 8 of them.
Using external FAX-providers is not only bad security wise (an additional company handling your data creates additional possibilities for malevolent actors), but also a huge problem with reliability. You have more components in the way, each one could fail, and once you leave the fax protocol domain, failure will not be reported to the sender. If you have a full "fax-to-fax" connection, your sending fax will only say it's OK when the receiving fax acknowledged its reception. For some faxes that even means that the fax was printed out already.
Page data could be a vector, however any receiving fax is required to count lines of wrong lengths as "errors" and discard them. The number of lines per page is of course not limited, but faxes have been used for long pages in the past.
What's actually more likely is the negotiation phase, there Fax machines talk HDLC over v.21 with eachother. It could be that the software only allocates a 256 octet space, but the HDLC frame is much larger. Since HDLC frames have no "length" indication you don't know how long they are. I have actually seen one particular modem (ELSA Microlink 56k) crash when it receives bad negotiation in that phase.
Uhm.... no.
There is nothing special about the frequency, it's just in a convenient range and has been allocated to microwave ovens. What you could "ramp up" is the power. However there are hardware limits. Satellite uplink transmitters typically have something in the order of 50 Watts. Granted there is a high gain antenna sending it directly to the satellite, but then again, your 700 Watts microwave oven makes sure most of those 700 Watts of output power actually reach your food. An open microwave oven is still moderately safe if you stand a few metres away from it.
Just because you can take over control of a radio device by no means means that you can do anything that dangerous. I mean I could probably take over my WLAN chip, but I'll never get it to output any serious power.
"Nowadays the NSA, CIA and defense contractors routinely recruit at the two shows"
I don't think they care about what they do when they allow the NSA, the CIA and defence contractors as _recruiters_. I mean recruiters by itself are already not welcome at European conferences, even less so when they come from organisations that have on multiple times worked against the population. I mean what's next, a Mozilla stand?
"but does that "fuck the vendor" or "fuck the users"?"
I'm sorry, but for decades the security community warns against vendors of "security in a box" like Kapersky. It's like doctors warn that homeopathy is nothing more than a placebo with a talk.
BTW this is not some sophisticated problem that's hard to exploit. Everyone already sniffing for DNS traffic wouldn't even have noticed there being a VPN anyhow. So they wouldn't have gotten anything from "Blackhacks" (I don't like those terms, it's like putting people into "good" and "evil" categories. Life is not black or white, and many people with good intentions do horrible things, see Mozilla)
Someone once said that the existence of fragmentation in IP shows "how much experimentation was going on in the early days of the Internet".
I mean seriously, I know it seems like a straight-forward idea. You have a packet, it's larger than your MTU, you split it into two. However the complexity on the other side is immense if you think about it for more than a few minutes.
Since they need to be online anyhow in order to function, why not put all the intelligence into a trusted server in a secure location? Just make all sub-devices talk directly via end-to-end encrypted channels with it. Have the sub-devices as simple as possible (i.e. by not using the complex protocol negotiations of TLS, or complex operating systems), connect them via a VPN-Router to the server, and there you go.
Obviously those small subsystems need to have good physical security. However with ATMs you already have an established culture of that, as well as the logistics to transport physical objects to it. That way you could do firmware updates by swapping and refurbishing the hardware modules.
"In the field of computing that's not bad for a 60's technology!"
Well... not exactly, most technologies from that time 1960s are still in use. Semiconductor DRAM is one example which is still the most common form of RAM in computers which use more than 32 Megabytes of it. In a way even flash memory borrows its core idea from DRAM.
The same goes for operating systems. Unix lives on in the form of the BSDs and Linux. Multics lives on in Windows and Systemd. People still use Maxima on a daily basis.
aka the Elektromagnetic Field Camp.
Or the ICMP, the Intergalactic Club Mate Party, a hackers camp that has a non-web ticket shop. (it uses ssh)
In general the European conferences seem to be more self reflective. While the DEF CON used to have Facebook sponsor their badge which was a smartphone controlled by Facebook, sponsoring is rare on European conferences, and the bit of sponsoring there is in goods. For example Deutsche Telekom sponsors some bandwidth, but no money, equipment vendors sponsor equipment loans, and so on.
For example in Europe you typically leave your company at home, while DEF CON seems to be extremely uncritical about sponsoring. As far as I've heard they even had a smartphone provided by Facebook as a badge.
Also another problem seems to be the different attitude about alcohol. In the US people under 21 may not drink alcohol. That is rumoured to result in binge drinking at those events. In Europe the attitude towards alcohol is much more relaxed and even children have nipped a bit of beer provided by their parents. Therefore on European hacker conferences there are rarely people who had far to much alcohol.
... particulary as there was no formal Code of Conduct. Having an elaborate Code of Conduct essentially invites such behaviour. It turns interactions with people into a game of how far you can go while still staying within the lines.
The more sensible solution is provide help to anybody who is in need. For example during CCC events there is a helpline anyone can call if they feel misstreated. They also have volunteers to resolve those problems.
The main point here is to react when there is a problem, not to proactively impose rules because someone thinks there may be problems. You rarely can solve problems before they exist. Also Twitter is not the real world, Twitter mostly is a way of public interaction which brings out the worst in people.
IPv6 doesn't break anything, it's just a new network. If you want to say with IPv4 that's fine, but don't complain about the people that move on, either because they just don't have IPv4 addresses, or because they want to have something that works.
And unlike older networks like the Telex network, the X25 network or ISDN, IPv6 doesn't really have any serious disadvantages over IPv4. It's not like IPv4 was isochronous or provided you with identifiers a governmental organisation guaranteed you or anything like that.
I mean people still operate "Mailbox"-style services you can access via your modem. That's still a thing. People also still exchange medium amounts of data (e.g. the print files for a newspaper) over bonded ISDN channels. There's no reason why IPv4 goes on for decades in niche usecases.
...which it technically is. It just shares some infrastructure (like DNS) with the legacy IP network. Don't even try to think of it being the same network. This saves you from lots of headaces and suddenly things make sense. Like if you cannot call an IPv6 phone from a legacy IP phone, you know that that call needs to go over some sort of gateway between the different networks.
"Have you tried pushing an unexpected connection through a NAT router?"
Well that usually doesn't work when you want it to work... usually thanks to ALGs you can sometimes get it to work by spoofing some data on a seemingly unrelated connection. (i.e. downloading a file over HTTP which contains FTP commands)
"However, doing this kind of thing for its own sake or for the possibility of saving money is not enough as it means you now have to maintain an inhouse solution for non-core software."
Well if you are as big as Amazon, having your own custom software for your internal use might be something cheaper. After all instead of paying "per seat" you will only have to invest a flat fee. Also customizing "off the shelf" software often is more expensive than writing your own dedicated package. A good example here is SAP and Lidl where the customisation of the "off the shelf" package cost 500 millions! BTW I do think that ERP is a core function of any larger enterprise.
So yes they are also going to offer it as a service, as they do with most of the things they buildt for themselves, but that's just an extra bonus.
I think it's an issue wether it should be in the kernel repository. After all most drivers in there can already be compiled as modules.
I don't think it should be compiled in, however if its compiled in you could potentially make a VPN server/client without a file system. That would be an interresting idea.
One of the main selling points for any version of any product from Microsoft was that you could run your software from previous versions.
That's why Windows NT still contained the incredibly messy WinAPI which, because it had no way of generalizing things, had a function for every feature imagined by the creators, as well as data structures where the things you were interrested in were declared "reserved do not use". The API was so bad that people resorted to reading the stack in callback functions to get more information from the system.
Then you had features deliberately put in to harm your competition by making it harder for them to implement them. SMB is said to have quite some feature duplication, apparently developers didn't read their own code.
The problem for Microsoft is that they cannot get rid of this. Any change means loosing backwards compatibility. Any loss in backwards compatibility means that wine and ReactOS will look like better alternatives.
"but it's public information that their ReefShark 5G chipset uses Intel 10nm so I wouldn't bet on this rolling out any time soon."
That would be a phenomenially bad decision, however considering that "Nokia Networks" is both a child of Nokia and Siemens this becomes absolutely plausible.
For reference, Siemens spun out their semiconductor department to Infineon... then Infinieon spun out their memory chip department to Quimonda which then went bust in the next cycle.
Siemens Healthcare also re-branded itself as part of a employee demotivation campain into "Siemens Healthineers". Complete with a dance routine:
https://en.wikipedia.org/wiki/Siemens_Healthineers#Controversy
Well there is the idea of "data-flow" based computing where you have lots of simple processors, each one with its own RAM and fast links to the others. The idea was to split up your problem into many small parts and make those run as part of a pipeline.
The problem is that this is conceptionally verry different to a PDP-11, so C(++)-Code won't run efficiently on such a machine. The solution back then was to use specialized languages like Star-LISP.
Of course today with the dominance of Unixoid systems, shell scripts could actually be a solution. Just let each of the C-based utilities run on its own core, only communicating via pipes with the others.
Well things on your phone are a different category, it's "what everyone else knows, but you".
After all all the "security" mechanisms in mobile OSes are there to keep the user out. The manufacturer or even app developers can still more or less freely spy on you.
You are confusing OLED with LED. "LED"-screens are just regular (usually TFT-) LCD screens with LED backlights. Any OLED technology will actually have pixels lighting up and no backlight. In fact there are currenty OLED lamps actually being made.
You can see that when you look up the datasheet of any OLED display. Here's one example of one not claiming to be AMOLED.
http://cdn-reichelt.de/documents/datenblatt/A400/DS_OLED_EA.pdf
As you can see there's no
AMOLED essentially is just OLED with extra transistors. Apparently those are used (with capacitors) to actually store the image on the screen, and to control it by constant current instead of scanning it.
"But then the system wouldn't boot as your encryption keys for Secure Boot are in the TPM."
If you just want got get around Secure Boot, that's trivial. You replace the whole computer with an identically looking one. This computer only asks the user for their password and sends it via radio to you. It will then pose as if the password is incorrect or the computer is broken.Then you have both the original computer and the password, which you can use to get all the data...
The pro attack then will swap the computer back, the user will think they momentarily forgot their password and will be to embarrassed to ever report it.
Actually what's best is to use nailpolish with glitter or stripes photograph is and place to the photograph as an ad into a newspaper. That way you'll have a constant public hash of your security measure.
BTW there's little else you can do otherwise against "evil maid" attacks, since that maid can just as well replace the mainboard.
Of course the failure on Intels side is to expose the debug interface on some connector that's actually moderately usefull for other things, so removing it is hardly ever an option.
Ohh BTW, one should not forget that programmers and language designers can have different ideas on what an object is. Recently quite some Java programmers realized they had a somewhat different idea about objects than the language designers. The result was that they happily piped around objects over the network resulting in lots of pwnage.
"How is piping text between commands better than piping objects?"
It's by far easier to implement, particularly cross programming language as different programming languages tend to have different ideas on what an "object" is. (or in fact different programmers of the same language)
Text is the lowest common denomitor. You can process in any language, and you can both easily read and write it by hand.
Simplicity is important, it's what made Multics and OLE on Windows basically disappear.
Well yes, but no performer performs a piece by typing in sample values into a text editor and then then converting that to a wav-file.
Performers don't think in terms of actual samples, they think in tones, and while they may think of them in ways standard notation cannot convey, it's still tones to them, not samples. Just like painters don't think in pixels, but brush strokes and shapes and such.
"What was the actual output format? Surely the AI didn't hear piano WAV and emit a WAV with individual sounds exactly like piano keys?!"
Apparently they did exactly that. This is the second paper I've seen which did that. It's not a smart thing to do, but given enough CPU power you can probably get away with it.
"If there are two pure sound sources in air at two different frequencies - then the "beat" frequencies will also be heard if they are within the audible range. That's the basis of polyphonic singing."
Well but that's strictly not "mixing". What you have here is your ear/brain-system interpreting 2 tones at close distances as one tone which is changing in intensity in a certain way. That's simply because that's essentially the same thing.
The ear/brain-system interprets the signal in certain ways. It's a bit like that triangle pointing downwards in this picture:
http://www.whatispsychology.biz/kanizsa-triangle-illusion-explanation
You could argue that it's objectively not there. You could however also argue that it is there, because all 3 corners are plainly visible.
The same can be said about beat frequencies. Yes, they objectively exist if you look at the envelope of the resulting signal, but no, if you look at the spectrum it does not exist.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
