* Posts by Christian Berger

4837 posts • joined 9 Mar 2007

When software depends on a project thanklessly maintained by a random guy in Nebraska, is open source sustainable?

Christian Berger

Those things happen all the time

Essentially many important projects are "maintained" by a single person. The IANA used to be a single person.

Christian Berger

Re: "Fix it"...?

"You are erroneously assuming, as a programmer/techie, that every business house had the ability in terms of technical wherewithal to just open up the source code and make it their own."

Well if your business depends on software you cannot maintain yourself, maybe you should not be doing that business. It's like running a restaurant without having staff that can cook. It's like running a factory without a mechanic on hand.

Christian Berger

That's why Free Software needs to be small

And that's why the Unix philosophy works so well with Free Software. If your program is small and simple enough that someone can just take the manual and re-implement it from scratch, the software is truly free. If your software package is huge and it takes dozens of people just to maintain it, it cannot be free.

BTW this has nothing to do with funding. Mozilla, for example, is a hugely overfunded company which could hire hundreds of programmers for decades on a singe year of income. Yet they let their main "product" fall into disrepair.

It's 2020 and a rogue ICMPv6 network packet can pwn your Microsoft Windows machine

Christian Berger

I wonder where the myths about IPv6 came from

I mean IPv6 is not inherently more complex than IPv4, in fact it's much easier in many regards (like stateless auto configuration for networks without DHCP).

My guess is that it's because of the "hype" people which crammed more and more "experimental and optional" (read unused) features into it like "IP Mobility" or "NAT64" or "NAT46". However nobody really uses that. In reality IPv6 is not much different to IPv4. It's a separate network sharing some infrastructure, it codifies some nifty ideas you have in IPv4 in a cleaner way (e.g. your local nameserver should always listen to a fixed local anycast address so you don't need to configure it). Nobody uses those advanced features except for experiments.

If you think Mozilla pushed a broken Firefox Android build, good news: It didn't. Bad news: It's working as intended

Christian Berger

There are 2 main underlying problems here:

1. Mozilla doesn't care about its users. They fail to understand what they exist for and instead work against the user.

2. Web standards are so utterly complex, that it's impossible to write a truly free browser. The code of browsers is to complex for a single person or small group to make meaningful changes. The code is, in a way, unfree, but not because of license, but because of complexity.

Foreshadow returns to the foreground: Secrets-spilling speculative-execution Intel flaw lives on, say boffins

Christian Berger

Re: Question

Servers are not the problem here. Servers can be secured physically and they typically only run "trusted" code. (=code that you deliberately installed)

The main issue here is with browsers. Browsers continue to have a missfeature that allows people to send code with their documents. The figleaf is that "sandboxes" will prevent that from getting dangerous. Ignoring for a moment that the mere act of computation on a client can be an attack, this is yet another example for sandboxes failing in more or less unexpected ways.

We must stop using sandboxes as an excuse to do highly dangerous things. A sandbox can be an additional barrier against exploitation, however it is not a cure all that allows you to execute random malware.

What is WebAssembly? And can you really compile C/C++ to it? And it'll run in browsers? Allow us to explain in this gentle introduction

Christian Berger

I should add that...

...we now have a new pre-fetching attack that works with WebAssembly.

Christian Berger

Re: Of course it completely ignores the main problem of any program code in the browser...

Most of the JS from other domains is malware by now. Usually it's code that manages ad providers to do things like holding an auction to determine what ad will be displayed to you. I can accept advertisements, but I do not accept such behaviour.

Christian Berger

Re: "if you’re a company developing a new application, why make it native?"

"Native code means porting if you have more than one target, which in itself can be imperfect and can result in bugs."

Yes, but if you choose one of the sensible ways to do this, porting is easy and reliable. I maintained a large-ish software package and there were something like 3 lines of code with ifdefs around them to handle differences in platforms. The platforms were Linux, Windows and MacOSX.

Christian Berger

Re: Not Supported in my Browser

The funny thing is that the most popular sites work just fine without Javascript or Webassembly. Just look at Google or Amazon.

Christian Berger

Re: Of course it completely ignores the main problem of any program code in the browser...

"I fail to see how this argument is any different from JS. That can suck your battery too."

It is in no way different than JS, but that's my point. WebAssembly is essentially like JS, but you don't even get the (potentially obfuscated) source code.

If we want to have server-dependent "Apps", we should perhaps ditch any kind of code executing locally and instead define a sort of "terminal". This doesn't need to be based on character terminals, but could instead be a DOM-tree controlled via Web sockets.

Christian Berger

Of course it completely ignores the main problem of any program code in the browser...

... that it's a gigantic security nightmare. Even if your sandbox is somehow "secure" it still can be used to suck your battery empty or mine $crypocurrency without your consent.

Then again the need for a platform independent "bytecode" for programs might have existed in the 1990s, but today we have moved on to distributing software in source form. Why turn back the time to where software was distributed in opaque binary files you had to disassemble in order to adapt to your needs?

Linus Torvalds drops Intel and adopts 32-core AMD Ryzen Threadripper on personal PC

Christian Berger

Virtually all competent IT departments...

... offer Linux desktops, and particularly more technical departments readily gobble them up.

It's just that incompetent IT departments are far more common than competent ones.

Record-breaking Aussie boffins send 44.2 terabits a second screaming down 75km of fiber from single chip

Christian Berger

Actually it's even more impressive

It's not just DWDM on a chip, it's OFDM on a chip. The carriers can be much closer together relative to their bandwidth than on DWDM as they are all coherent and have a well defined distance. Essentially the neighbouring frequencies will interfere with the middle one, but those interference patterns will cancel themselves out over a symbol period.

Honestly I do not think this will require a lot of rack space. After all this is "just" 422 times as much as already established 100 Gbit/s and this can apparently is compatible with CMOS, so you could even place your routing logic on the same piece of silicon.

Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT

Christian Berger

Well the idea is...

that there may be countries somewhere, where your ISP is less trustworthy than Cloudflare. Of course this doesn't apply to Europe where your ISP could easily get shut down if they were caught exploiting your DNS traffic, whereas Cloudflare only makes a non-enforcable "promise" that they won't mess with your queries.

Apple owes us big time for bungled display-killing cable design in MacBook Pro kit, lawsuit claims

Christian Berger

Well at least they were cheap...

Mac books are cheap, aren't they?

FYI: Your browser can pick up ultrasonic signals you can't hear, and that sounds like a privacy nightmare to some

Christian Berger

Well yeah...

yet another reason not to execute code from untrusted sources like advertisement companies. We really should be working on getting rid of executable code on webpages.

Serial killer spotted on the night train from Newcastle

Christian Berger

It is perfectly adequate technology for this

After all that is just a sign that can display text. Serial lines are more than adequate to get the data there. This probably uses something like RS-485 which works much better for long lines, but is otherwise nearly identical to "normal" serial lines. Also it works over normal twisted pair and doesn't need higher grade cable you would use for Ethernet. BTW you can run such a system in a unidirectional mode so an attacker on the bus can eavesdrop and modify the data, but not access the master.

I mean this makes a lot more sense than what a German railway company did, using Windows PCs to directly drive their station signage... with the obvious result that eventually they were hit by ransomware.

NASA's classic worm logo returns for first all-American trip to ISS in years: Are you a meatball or a squiggly fan?

Christian Berger

BTW they use a somewhat different logo in Germany


Planet Computers has really let things slide: Firm's third real-keyboard gizmo boasts 5G, Android 10, Linux support

Christian Berger

It doesn't protect the screen

So whenever it is dropped there is a serious chance of cracking the screen. Why on earth did they copy that design flaw from Apple?

Microsoft staff giggle beneath the weight of a 52,000-person Reply-All email storm

Christian Berger

Wait Microsoft has E-Mail?

I thought they'd only have Outlook and Exchange.

How does Monzo keep 1,600 microservices spinning? Go, clean code, and a strong team

Christian Berger

Banking isn't really a highly computational process

For example on average there are only around 1300 credit card transactions per second in the US. While this may sound like a lot, it's probably less computation than playing an MP3 file takes.

Of course there is _way_ more database activity, but we live in an age where storing your database in RAM or on fast flash memory is feasible.

To put this into context, every fixed line call in Germany has to go through a complete lookup of the portability database. That's a database listing every number that has ever been ported. That's millions of datasets. The lookup works with a simple barely optimized program which rarely takes more than a millisecond to look up a dataset, even on a very modest computer.

BSOD Burgerwatch latest: Do you want fries with that plaintext password?

Christian Berger

Re: Surprised they don't use *NIX

"I wouldn't have thought there would be much reason not to do something like that as a web app, that way anything with a recent browser from a single board computer (such as a Pi) to a full on workstation costing thousands could be powering the screen."

Yes, but web standards change very quickly, and web developers always want to have the newest technology to fail in. Also web browsers are hugely complex systems (more complex than operating system kernels) which are therefore likely to fail in inpredictable ways.

I think the problem is that we do not have propper "graphical multimedia terminal" standards. Sure we have VT100 to which we have added truecolour and mouse support, but if you want to display a photograph or play a sound, your choices are severely limited.

If only 3 in 100,000 cyber-crimes are prosecuted, why not train cops to bring these crooks to justice once and for all, suggests think-tank veep

Christian Berger

It's an insane idea

First of all, it's extremely easy to do something and pin the blame on someone else. Want the Russians to be the culprit, buy a Russian PC to develop your code on and leave Russian language clues. Attribution is basically impossible, unless you are dealing with stupid people.

Then there's the whole area of side effects of doing this. If you want to make attribution easier you have to make sure that things like anonymous communication disappear. This endangers large groups of the population, from whistleblowers to homosexuals. Probably even people like security analysts.

Third it doesn't fix anything. The security holes are still there. If they are not used by criminals they probably are used by "Lawfull" organisations.

In short it's an insane idea, not well thought out and based on assumptions which have been proven wrong many times.

Voyager suffers a power wobble as boffins start the final countdown for Spitzer

Christian Berger

Re: Incredible

Actually there were some firmware updates.

Remember when Europe’s entire Galileo satellite system fell over last summer? No you don’t. The official stats reveal it never happened

Christian Berger

Actually Galileo has reached its most important goal

Since the planing of Galileo both Russia and China have created their own satellite-based navigation system. Most mobile phones today support all 3 fully operational systems now, and they are all operated by different entities meaning that even if one decides that Europe is evil, there are still 2 other systems.

'Trust no one' is good enough for the X Files but not for software devs: How do you use third-party libs and stay secure, experts mull on stage

Christian Berger

There actually was a talk about this problem at the 36c3. The proposed idea for a solution against that was to mark your library "Geek-Code"-style to indicate if you see it fit for use for security critical things.

A typical example would be a crypto library someone started because they wanted to experiment with it. Of course one could use it for serious things, however since it wasn't meant for that there could be serious issues with this. Nevertheless releasing such code may be beneficial for some as a demonstration device.

Christian Berger

Re: It's actually not that hard

"Are you suggesting using CSVs because they are "standard"?"

No of course not, I'm suggesting that because in 99% of the cases it can be done in a very simple way. Often you don't need the ability to have the delimiter character in your data fields, you can simply replace it with another character or reject that input as invalid.

For example if you just have nummerical values, scanf can easily read that for you. With slightly more effort it can also read space delimited colums of strings.

Even if you need arbitrary data, there are way simpler ways then the "Windows CSV". Just use no quoting and add an escape character. That way your parser only needs to read in the input character by character and only have 2 modes. The first is the normal mode, the second is the "after escape character" mode.

One of the worst examples for how you can mess up a simple format is probably the "Windows CSV" which adds things like quoting which makes parsing very hard.

XML and JSON may have their advantages for complex and dynamic data structures. However one rarely needs that. Relying on standards is not always a good idea, particulary when you need more code to use a separate library than an implementation of your own parser would need.

A good summary of the state of the art is here:


Christian Berger

It's actually not that hard

Although you can never be 100% safe, you can always lower your risk by lowering your dependencies.

For example, if you have a simple list, using XML or JSON adds complexity without providing value. If you use simple delimiter separated files you can often use standard library features to parse such a list.

Beware of environments where adding a new dependency is simple. Adding a dependency is a potentially dangerous thing to do, think before you do it, think before pulling in code that adds new dependencies.

Microsoft boffin inadvertently highlights .NET image woes by running C# on Windows 3.11

Christian Berger

Re: BTW if you need a cross-platform GUI development solution

> Which raises the question of what actually is the native look and feel of Windows these days?

Well actually that still is the same as in the Windows 9x era. You can see that when all of the modern GUI extensions crash. I think it even reverts to the "System" bitmap front.

Of course if you don't like the look of the GUI elements you can use the OwnerDraw event and draw them yourself.

Christian Berger

BTW if you need a cross-platform GUI development solution

Take a look at Lazarus, it's a Free (as in speech) alternative to Delphi with all the nasty bits taken out. Software natively compiles on at least Windows, Linux and MacOSX, and since it uses the native GUI toolkits it'll always look and feel native. For all of those platforms you get a fairly large (10 Megabytes) static binary you can just drop onto the system and run.

Chrome suddenly using Bing after installing Office 365 Pro Plus... Yeah, that might have been us, mumbles Microsoft

Christian Berger

Now if they'd only have any semi decent search

For example the search function in Outlook can only search for whole words. So if you have a composite nown (as common in Germany) "Ticket" won't match "Carrierticket". Of course in the age of multi megabyte RAM in PCs doing a full text search of the subject still seems something hard for Microsoft.

Remember that Sonos speaker you bought a few years back that works perfectly? It's about to be screwed for... reasons

Christian Berger

What do you expect?

Sonos always was more of a lifestyle product aimed at people with more money than brains. I mean it was always obvious that those things were bound to happen as everything relied on proprietary and closed standards.

Normal audio equipment, on the other hand, is designed to rely on open and simple standards. The analogue line in virtually every device has will still work in 50 years just like it did 50 years ago. Bluetooth and HDMI, while probably not around in 50 years, are widely supported from many different manufacturers.

WebAssembly: Key to a high-performance web, or ideal for malware? Reg speaks to co-designer Andreas Rossberg

Christian Berger

Re: It would have made more sense...

Looks like it, but the core idea would be to have this as a standardized protocol integrated into the browser.

Christian Berger

It would have made more sense...

to ditch all Javascript and Webassembly and instead provide a socket-based way for the server to controll the DOM tree. Essentially you would get a "smart terminal" which handles everything that needs to be handled in real-time, while the logic runs on your server. You'd even save lots of processing time on the server as you don't need to string together a bunch of requests into a session.

Intel server chip shortages continue to bite: HPE warns of Xeon processor supply drought for the whole of 2020

Christian Berger

Usually reports of shortages have one purpose...

and that's to boost sales, as shortages mean that it will become harder to source something. Considering this, it also makes sense to lower the prices, this also boosts sales.

To me it looks as if Intel wants to reduce its stockpiles of older processors.

Copy-left behind: Permissive MIT, Apache open-source licenses on the up as developers snub GNU's GPL

Christian Berger

I don't think it's against "Copyleft"

It's just that more and more little toy projects get shared on github. There the idea is that someone wrote some code which isn't worth thinking about copyright, so they simply slap on some BSD license as they don't care what is being done with that code.

It's more a sign of a rise of casual code sharing on github than a fight against copyleft.

We strained our eyes with Lenovo's monster monitor: 43.4 inches for price of five 24" screens

Christian Berger

Re: Vertical space rules

Yes, particularly since you can simply make your screen wider easily by putting a monitor next to your existing one. This is easy to do horizontally, but not vertically.

Stand back, we're going in: The Register rips a 7th-gen ThinkPad X1 Carbon apart. Literally

Christian Berger

The X1 series seems to be a test balloon...

... to see how bad Lenovo can make a laptop before people will stop buying it. However since we have a seller's market where the offers determine what's being sold, they get through with lots of stuff.

Don't trust the Trusted Platform Module – it may leak your VPN server's private key (depending on your configuration)

Christian Berger

What did you expect?

After all the Trusted Computing Initiative was not about protecting user data but about protecting business models. If it was about making computers safer they would lobby for the elimination of scripting languages in browsers, and the elimination of "Service Mode" features and "security enclaves".

Imagine OLE reinvented for the web and that's 90% of Microsoft's Fluid Framework: We dig into O365 collaborative tech

Christian Berger

Re: Hmmmmm...

Yeah bizarrely they have managed to reach the responsiveness of a highly loaded (20 users) Xenix installation on a 386DX50.

Lenovo unfolds time frame for bendy ThinkPad: Pricey Windows PC out in summer '20

Christian Berger

Re: WTF!?

"Well apparently they're willing to trade sales figures for style so I guess we'll see how that pans out.

No great surprise if they manage to sell scant few and end up scrapping the line within 18 months."

Nah, that's not how sales works. In case they sell some, they'll proclaim that it as an ingenious idea, but since the market is shrinking it wouldn't sell as well as previous models. In case they sell very few they will also blame it on the market.

Christian Berger


Why on earth trade an important piece of every computing device (keyboard) for a display which will be obscured by your hands most of the time.

Astronaut Tim Peake reminds everyone about the time Excel mangled his contact list on stage at Microsoft AI event

Christian Berger

People seem to have misconceptions about Excel

It's not there to store data or numbers or anything like that, that should be obvious to anyone using it.

It would be nice if Microsoft would release any indication on what Excel is supposed to be. If I was allowed to put on my tinfoil hat I'd say they won't, because that would mean they would have to actually respond to bug reports.

Dropbox CEO: I will make your worklife a calmer experience

Christian Berger

Now if you were using any semi-decent e-mail client

you'd have your mail neatly sorted into threads making it easy to find what you are looking for.

Four words from Cisco to strike fear into the most hardened techies: Guest account as root

Christian Berger

What really scares me

Cisco has abysmally bad security for decades now... on different product lines... with completely new implementations. I mean just by chance they should have found some competent programmers starting a new project.

I mean even Microsoft managed to clean up their mess for a while after XP.

Revealed: The 25 most dangerous software bug types – mem corruption, so hot right now

Christian Berger

The de-allocation method wouldn't be a problem as such... if they didn't have weird stuff like implicit object copies which can, if you aren't super carefull, cause 2 "copies" of an object have their members point to the same memory locations, paving the way to use after free and double free.

Pascal, for example, doesn't have that, the destructive assignment operator := does not copy objects, at best it copies references to objects.

Christian Berger

Well the problem with C++ is...

... that people who use it think it's a high level language when it's in fact more of several layers of complexity above plain C. Since C++ is so insanely complex, members of a team will spend most of their time learning new features. The result is typical "beginner" code where someone tried to use a feature for the first time without fully understanding it first. This distracts people from writing good code as the amount of "thinking" they can spend on a given amount of code is constant.

C has the same intrinsic problems as C++, but it's much simpler and much closer to Assembler. So if you know some Assembler you can spend more of your "thinking" to making sure your code is correct.

Of course today what we need is a language with about the complexity of C, but with type checking and without the problems of making it to easy to include libraries.

I got 99 problems but a switch() ain't one: Java SE 13 lands with various tweaks as per Oracle's less-is-more strategy

Christian Berger

One should note that changes in a programming language aren't always a good thing

Slow or absent changes mean that your code will work for a long time. Any change in the language can mean that your code breaks resulting in more of a motive to replace it. That's why the slow development of COBOL caused it to be indispensible for many banks. If Java was changing every couple of years no bank would seriously consider it.

I mean Java didn't even include the really sensible feature ideas of J2K yet.

IBM looks to boost sales the same way it has for 65 years – yes, it's a new mainframe: The z15

Christian Berger

There's a nice introductionary talk on that architecture



Biting the hand that feeds IT © 1998–2021