Posts by Christian Berger

I recently demoed Lazarus at our company

Essentially while explaining Lazarus I was able to click together a basic CURD application within 8 minutes... without touching the keyboard.

That's like going bungie jumping...

... and then suing the bungie jumping company for tying an elastic rope on you and throwing you of a bridge.

Everybody knew that such software is highly problematic. It's simply not a good idea to try to fix the problem of to much software by adding more software... particularly if that software is written by people who are not security minded.

I can understand private people being fooled by companies like this, but we are talking about a large company... with legal departments. Why didn't the legal department find the clauses that said that the software must not be used for critical applications? Why didn't any of the technical departments object to that sort of software? Why wasn't anything done when the Linux version of that software had, essentially, the same bug... some weeks before this?

Well 16 and 32 bit support may important

I mean, sure as someone who runs Linux or *BSD on a server, it doesn't really matter if you have 16 and 32 bit support... but then again, it doesn't really matter if you have x86 or ARM or whatever.

The area where this doesn't matter is the Windows-Server market. There software is distributed without source code... and backwards compatibility is vital. The portion of that market that can't just switch to normal operating systems is "application servers for legacy applications". That old business-critical 16 bit WinAPI Application the company bought in 1993 will certainly not run on ARM.

I mean it's "Secure Boot"

It's a highly risky technology, originally designed to enable censorship for operating systems which, at best, protects you from some highly selected attacks.

I wonder if it's possible to create barcodes that way

I mean it would be a cheap way to transmit information to mobile phones by using an LED and a diffusor. You could create barcodes that could carry information like an authentication code or something.

Strictly speaking it's their Z84 line, not the Z80 line

The Z84 are CMOS variants which are faster and use less power than the original Z80 chips while being pin-compatible. The original Z80 chips probably have been discontinued decades ago.

That's why you still get Z80-flavoured systems based on even newer implementations. The Z84 chips kinda are overpriced with the CPU alone selling for more than a whole 32-bit micro controller fast enough to emulate it.

Well it's a sign of the crapularity

We do essentially the same things now as we did in the past, but with a lot more code. More code means more bugs resulting on the every day experience that computers don't work very well.

There is some hope that this comes in waves, like the terrible software we had in the 1990s being washed away by obsolesce and good ideas like the UNIX philosophy becoming more popular again. It may we that we are just in a current wave of that.

However if we aren't and the current trend continues, we might be heading towards a "Crapularity", a singularity of crap, where the systems around us keep failing and nobody can mend the mending apparatus as in E.M. Forster's "The Machine Stops"

There is one important legacy from it...

and that's UTF-8 which strips away multiple layers of complexity when dealing with international texts. There are now a lot of cases where you can just handle text as text, not having to worry about whether the characters inside of it are hieroglyphics or Arabic characters.

It's an attempt at turning back the time

Instead of trying to find innovative ways to get money to creators, the DMCA just tries to turn back the time to the 1970s, claiming that it can keep people from using computers. Essentially they try to maintain business-models that make no sense in the computer age.

In some areas, like mobile phones, they even succeeded, making manufacturers lock down their systems so users no longer can easily upgrade to another operating system. That is why there is so little progress in that field.

I once was able to test them

... they are almost comically bad.

I mean one of the main tasks of such devices is to capture 20ms of audio samples, package them into a RTP frame and then send them. There's more to building a good ATA, but that's the most basic thing you need to do.

Of course, since they are running normal operating systems, there is a bit of jitter to be expected, so if you compare the expected time of arrival to the actual time of arrival you should see some noise, in a histogram that should resemble a normal distribution close to zero. So the error is more likely to be between 0.1 and 0.2 ms than between 10.1 and 10.2 ms. It may be overlaid by a steady rise or fall because your sampling rate is not precise, but any half decent ATA will compensate for that.

The adapter I've been able to test had a "box shaped" distribution... and to make matters worse, the culminated error rose in discrete steps. Each one of those steps means that not only you will have a glitch in your audio, but also very likely that your modem connection will break. I have no idea how on earth they managed to make their device that bad.

It actually doesn't matter which megaorganisation wants to controll the Internet

I mean we also see "NEW IP" movements from the west, with Big "Tech" wanting to take over essential services like DNS or the Web.

It doesn't matter if those organizations are motivated by greed or the desire for control, we need to oppose it.

The obvious way to do so is to avoid complexity. Simple protocols are easier to implement. That means you have more implementations and less control from big organizations.

Plain IPv6 is a good step in that direction as it simplifies a lot of things. For example there no longer is a need for NA(P)T which eliminated the need for workarounds for it. You can have end-to-end connectivity which eliminates the need for central servers. You could build things like messaging systems without any need of an organization operating it.

Yeah, but by NFT logic...

... I can prove that nobody was harmed when the Titanic sank.

There are immutable pieces of paper that were distributed thousands of times that claim "TITANIC SIKNING ; NO LIVES LOST"

https://www.huffpost.com/archive/ca/entry/titanic-headlines-in-vancouver-got-it-very-wrong-photos_n_4178419

Then there is this Italian movie, distributed in immutable DVDs to thousands of people, The Legend of the Titanic (1999). This movie claims that nobody died, as the octopus that was responsible for the ice berg being in the way, saved them all.

It's not like any "Blockchain" is more authoritative than a random newspaper or a movie, except in the eyes of some idiots.

I'm not sure if they have ever seen a rocket launch

Considering that you need huge rockets filled with propellant that will be turned into CO2 and water in minutes just to send up a shipping container full of equipment, I doubt that this will ever be able to offset the environmental cost of producing electricity on earth.

Also on earth you can just use solar power and wind to power your datacentre.

Why would anybody accept this?

...except for maybe those people who are to bad at what they do to not find a new job quickly?

I mean, Twitter isn't infrastructure. If it vanishes tomorrow few people will even notice.

It actually could be much less

Such services typically determine market shares by trying to run 3rd party Javascript in browsers. Since running extensions like noscript is correlated with running Linux or *BSD, those operating systems are likely under represented in those studies.

There is a good point for this, heise.de, a website mostly browsed by people at work (=>much higher Windows percentage than global) still has lower numbers for Windows than those statistics.

How does one secure it?

I mean, sure it might be meltdown-proof, but what if someone goes there and either just takes the reactor with them or plants a bomb next to it.

Considering there are decent amounts of radioactive materials inside of it, using it as a "dirty bomb" seems a plausible scenario.

Simply put: There aren't many jobs in that area

For example Germany has jettisoned most of its non-automotive companies in the last few decades. There are no solar companies or communications companies any more. Those that do exit have outsourced most of their technical aspects. Most of what's left is in the automotive industry, but you don't want to go there.

To be honest my decision to study electrical engineering was mostly influenced by it's use as a hobby.

Well we knew that their use was rather limited

However, at least in Germany they actually have turned into a beacon of hope, but not in the way one would expect.

The German tracing app CWA (Corona Warn App), not only followed the minimal standards you would expect, like having public source code for the app, no they have public source code for all components including public documentation on the rationale behind the scheme they used.

And the design was very decent trying to keep the advantages without compromising privacy. Essentially it was done in a way you only had to expose yourself when you got tested positive.

Now the main point of criticism was that it was hugely expensive... until the Luca App came along which claimed to do the same thing, but was developed a lot less competently yet charged a similar amount. While the CWA people actively engaged with the security community, for example by giving talks at hacker conferences, the Luca people only complained that people were complaining about basic defects of it.

Pasives are not semiconductors

Particularly not resistors, inductors and capacitors.

Passives are more or less defined by not being semiconductors. (there are of course exceptions and gray areas)

Nobody expects that kind of software to do anything other than...

...waste CPU cycles. After all the only remotely sensible feature (scanning for known bad strings of octets) is only semi-useful so vendors try to proof maths wrong by trying to find out if code is "good" or "bad" by just looking at it.

Well why bother with it at all?

I mean after all those are devices where actual security is more important than any kind of security snakeoil. Just build them in a sturdy and locked case and have decent hardware interlocks to prevent bad things from happening.

If bad things can happen from errors in the software, secure boot will not help you much, as in order to change the boot process, you already need very high privileges. On the other hand, the charge process, which can cause harm if interfered with, has to have interfaces so the outside world.

Well the requirements of loading data overlap with the requirements for audio

Essentially audio tape formats in the home computer era work by storing pulses on the tape. This was done in order to keep the hardware simple and to be able to deal with extremely horrible tape decks running at the wrong speed.

If you manage to keep a pulse vaguely coherent, you will be able to get the data through. This is also called a linear phase response, or a constant group delay. This isn't as important for general audio, so back in the analogue days people didn't take the effort of doing so.

Now since everything is digital, it's easy to have filters with linear phase response.

Also any general purpose audio codec has very little reason to mess with the phase, so the data will likely go through given sufficiently high bit rates.

BTW back in the analogue days there was a variety of ways to deal with non-linear phase responses which you could have when the audio was transmitted via television or the radio. The WDR Computer Club (West Germany) had a device which would cup off the overtones of the tape signal. That way they didn't need to care as much about what the overtones contributed to the signal. In (communist) East Germany, the solution was to broadcast the signal in stereo, loud on one channel and with 10dB attenuation on the other one.

Some time ago I listened to a talk from one of the Kubernetes proponents

It was a talk about security issues, and when it came to the issue of over boarding complexity often caused by Kubernetes he said that there is a difference between "what people want" and "what people need".

Seriously if you want complexity maybe you shouldn't work in IT, and area where complexity is the main problem.

I wonder where the myths about IPv6 came from

I mean IPv6 is not inherently more complex than IPv4, in fact it's much easier in many regards (like stateless auto configuration for networks without DHCP).

My guess is that it's because of the "hype" people which crammed more and more "experimental and optional" (read unused) features into it like "IP Mobility" or "NAT64" or "NAT46". However nobody really uses that. In reality IPv6 is not much different to IPv4. It's a separate network sharing some infrastructure, it codifies some nifty ideas you have in IPv4 in a cleaner way (e.g. your local nameserver should always listen to a fixed local anycast address so you don't need to configure it). Nobody uses those advanced features except for experiments.

There are 2 main underlying problems here:

1. Mozilla doesn't care about its users. They fail to understand what they exist for and instead work against the user.

2. Web standards are so utterly complex, that it's impossible to write a truly free browser. The code of browsers is to complex for a single person or small group to make meaningful changes. The code is, in a way, unfree, but not because of license, but because of complexity.

Well at least they were cheap...

Mac books are cheap, aren't they?

Well yeah...

yet another reason not to execute code from untrusted sources like advertisement companies. We really should be working on getting rid of executable code on webpages.

It is perfectly adequate technology for this

After all that is just a sign that can display text. Serial lines are more than adequate to get the data there. This probably uses something like RS-485 which works much better for long lines, but is otherwise nearly identical to "normal" serial lines. Also it works over normal twisted pair and doesn't need higher grade cable you would use for Ethernet. BTW you can run such a system in a unidirectional mode so an attacker on the bus can eavesdrop and modify the data, but not access the master.

I mean this makes a lot more sense than what a German railway company did, using Windows PCs to directly drive their station signage... with the obvious result that eventually they were hit by ransomware.