* Posts by Christian Berger

4850 publicly visible posts • joined 9 Mar 2007

Robot solves Rubik's Cubes in 637 milliseconds

Christian Berger

How complex is that problem anyhow?

I mean is the problem bounded by CPU time or by how fast you can twist the cube?

Trump's taxing problem: The end of 'affordable' iPhones

Christian Berger

Actually it might bring the opposite

I mean for many companies import duties won't actually matter. Large International corporations surely will find ways to dodge any import duty, as they can simply avoid crossing US borders.

There might be another point. Large companies might move out of the US and set their headquarters somewhere else. Some highly qualified employees might move them, while others might simply quit... bringing a lot more decently qualified people on the "market". They might perhaps found their own company, or work at another company raising the average of skill there.

In any case, there is not much telling what Trump will actually do.

RIP EarthLink, 1994–2016: From AOL killer to regional ISP's attic

Christian Berger

It was a much different time back then

Back then people escaped their walled gardens to be on the open Internet. Now many people go to walled gardens such as Facebook.

Perhaps one thing is still the same. People using "online services" such as AOL were often regarded as the less smart ones, the conformists, the people who don't quite think for themselves. It's still like this with Facebook in some regard. More and more people apologize for being on Facebook or say that their account is just there for some legacy application.

It's a discussion that goes on for decades. The official magazine of the Chaos Computer Club already posted the question if it's right to be on "commercial mailboxes". Back then it was about "BTX" the German version of "PRESTEL". (had much fancier graphics conforming to the latest standard for teletext)

https://www.youtube.com/watch?v=iBfvIh2K4G0 (it even impressed aliens back then)

Was IoT DDoS attack just a dry run for election day hijinks?

Christian Berger

There is one error in that article

The election is not actually important. No matter who wins, the people in the US and the rest of the world will loose.

Christian Berger

There is no way to do online voting in a democratic way.

There is no way to have a system that's easy enough to be understood by everyone and involve computers. Once you have a computer, the average person has no chance of understanding it any more and therefore no chance of having informed trust in it.

Pen and paper systems may be easy to fake, but they are also very easy to understand and check. Particularly if you hold elections on sunday or a public holiday, everyone has the chance to check that election... or even be involved in it by volunteering to run it. (you get a small amount of money for that)

Usually pen and paper systems are also rather quick to count. In Germany the polls close at 18:00, and at 20:00 you already have the full result for the news.

Apple, Mozilla kill API to deplete W3C battery-snitching standard

Christian Berger

Re: It's one standard in a long row of idiotic web standards

"You could always release your own stripped down browser."

No you can't, that's the point. Web developers expect more and more stupid features because mainstream browsers have them. If mainstream browsers would only implement essential features, web developers wouldn't use all that cruft.

Christian Berger

Well there is an important point

Everyone wants to create something even if they are bad at it. Creating a new feature and API is just an example for that. That's why you get so many bad new protocolls or things like systemd.

There are people who have neither achieved the maturity nor the laziness it takes to design a good system, and increasingly they have the ability to mess things up.

In the past we had a natural filter and that was productivity. If you wanted to make an operating system what was more complex than UNIX you had trouble getting enough people to do so. Today everyone wants to join an Open Source project to have something for their resume.

Christian Berger

It's one standard in a long row of idiotic web standards

I mean there's also the USB API or the Bluetooth one, both having even stronger security implications. Then there's HTTP/2 which doesn't actually solve any problems and at best tries to masquerade web developer idiocy, but makes the whole problem of web application and even simple web sites _much_ more complex. More complexity means more bugs and therefore more security critical bugs.

However the W3C was created to increase the number of features, and all players in the browser oligopoly want more features as it keeps the competition out.

Want to spy on the boss? Try this phone-mast-in-an-HP printer

Christian Berger

Re: Every step you take, every move you make

How about Rudi gib acht? It'S more about spying.

https://www.youtube.com/watch?v=ir8Evm75hlI

Christian Berger

No that was the 1980s

"something something terrorists"

No, back then it was "something something Russian spies".

Back when GSM came out there was a huge crypto discussion on whether it should be allowed to be encrypted. Not allowing the network to authenticate itself to the handset was the compromise.

World-leading heart hospital 'very, very lucky' to dodge ransomware hit

Christian Berger

Re: OMFG

Well even if you cannot change people themselves, you can easily influence their behaviour. How many people do you know that got electrocuted by their household appliances? With all those appliances around, that must be a high number, doesn't it? The fact that this number is rather low is that household appliances are designed to prevent you from doing stupid things. You cannot simply touch any conductors inside, because they are encased in plastic.

However in computing there is no sense for security. Yes we tell people not to execute code from the Internet, yet when you click on a link to download an executable in your browser, it'll actually offer you to execute it right away. That's a stupid thing that should never have been offered. Same goes for all kinds of app containers like apk or flatpack. If you click on a link, and your system will install software that's a _really_ bad thing.

Instead you can make stupid things hard and provide safer alternatives. This then will influence people into not doing stupid things. Also make sure that the things they actually need to do (e.g. opening PDF files) is as safe as possible (e.g. not using a feature complete PDF reader).

BTW the stupidity doesn't always just lie on the end user side, often it's also in the IT departments. Just think of the many computers that have office software installed without needing it, or Acrobat Reader when a more secure PDF reader would be good enough.

Christian Berger

Re: OMFG

"Easy access to everything allows them to get on with treating patients and every clinician loves their e-mail."

Yes, but seriously it's not a conflict between "easy access" and security. It's a conflict between stupidity and security. If you can just stop people from being stupid you'll have solved most of the problem.

Just like there are basic safety standards for things like light fixtures, the NHS could enforce those for the software they use. Since software security doesn't really cost money (only features) that should be easy to do.

Curl bashes 11 bugs

Christian Berger

Didn't curl have the problem...

...that it was left without maintainer because nobody wanted to touch that code?

James Dyson's new startup: A university for engineers that doesn't suck

Christian Berger

Re: Sorry to be a doubter...

"...so that the students currently graduating actually have the skills that employers want."

I'm sorry, but that's exactly the problem we have today. Universities are aligning their courses to what employers want. The result are incredibly narrow minded studends who have never learned the basics of their field and are unable to cope with any change. From this you get people who spend 20 years doing the same. When they get layed off, they'll never find a propper job again.

Christian Berger

Re: Dyson is a bit of an IPR zealot

"... but the R&D staff made it very clear that their personal notebooks had to be checked in and out of locked storage at the opposite ends of the working day and that they were under strict purdah when it came to discussing any details of their job with anyone else."

I am not sure how much of that is PR (look how innovative we are, we cannot even tell you what we are working on) and how much is legitimate. However considering that Dyson is one of the more innovative companies and how much even completely non innovative companies seem to care about such things, it seems proportionate.

Christian Berger

Hmm, it could go both ways

It seems like this would bring out more of the same we have now, teaching students a job instead of a field. If you do that, you'll end up with more and more narrow minded people.

Education is not about getting a job, it's about learning new things for the goal of knowing more. Being more suitable for the more interresting jobs in the world is just a side benefit.

Is password security at just $1/month too expensive for most?

Christian Berger

I don't get it either

I mean there's "pass" the standard unix password manager which simply uses gpg to store your encrypted passwords. Even if you want to sync it you don't need any online service as those are just files. You can simply sync them like any files.

Belgian court fines Skype for failing to intercept criminals' calls in 2012

Christian Berger

What a cheap way of doing marketing

Of course they could technically comply. After all they control the client (with updates and possibly hidden extra features), so they can instruct it to either give them the key or even the complete conversation. There is no incentive for Skype not to have that feature. (appart from the few hours of work that feature would require)

Of course they need to claim that they have no control over their clients. Paying 30k€ is a low price for all the positive publicity they get in the newspapers.

Christian Berger

Verry simple

"The software could conceivably be banned in Belgium, but I'm not sure how Skype could enforce this (or indeed the Belgium authorities)."

They probably already ask you what country you are in when you register, if that's Belgium they can just not let you register.

WebAssembly: Finally something everyone agrees on – websites running C/C++ code

Christian Berger

Stupid idea

We already have an increasing amount of Javascript Malware in forms like tracking software. Until now you could simply defend against it by having locally patched versions of them. Patching WebAssembly will make this a lot harder.

The reason why browser manufacturers adopt WebAssembly is probably because it makes browsers more complex, creating a higher point of entry for new competitors. It's impossible to develop a new browser (engine) with a small team. You will always need a fairly large organisation. Those organisations want to continue existing. Making the web simpler could increase competition and could kill or harm any of them. An oligopoly is a rather nice place to be in.

Web devs want to make the Internet of S**t worse. Much worse

Christian Berger

Even if I wanted...

I'd rather want one that speaks WIFI as that would reach through the access point from my kitchen to where I want to know its status.

We live in a world where even single chip WIFI solutions have enough horsepower to provide a simple webserver you can talk to directly with your browser.

Christian Berger

Re: Wrong

Well unfortunately browser sandboxes aren't any more secure than any other kind of sandbox. For most users they don't protect anything as most things are happening in the browser anyhow.

Yes, native apps are a problem, but since people are aware that those are shit, people might stop buying shitty devices that don't adhere to simple public protocols.

Christian Berger

Of course Mozilla will implement it

They have a tack record of implementing and backing every bad idea. APIs like this one (or the USB one, or just about any that came out in recent years) make browsers more complex so it's harder if not even impossible to fork your own browser engine or even write one from scratch.

This keeps the browser market in an oligopoly, something all players there can live with. For them its good, for the user it's bad... but nobody cares about those anyhow.

As always, more complexity will mean more bugs and therefore more security problems.

Dan Kaminsky calls for a few good hackers to secure the web

Christian Berger

If he would only think his ideas through

Virtualisation has been proven to not be very effective over and over again. Essentially even if it works perfectly you just have a "separate computer" which still needs to communicate with other computers. You can't fix one of the most prominent problems, an SQL injection, that way, for example.

Then storing a key on a separate machine (i.e. one owned by Amazon) you may not be able to get them externally. However since you probably get to a password database through the web app... which needs to authenticate you, it's likely you'll get that secret key used to encrypt the password database along with the database.

You could actually do something Kaminsky-like more for security if you'd store webpages in DNS. Since DNS is extremely well cached, a DOS wouldn't be so bad, most users would still get the cached copy.

There's also the obvious solution of eliminating complexity. Every line of code that's not there cannot be a bug and cannot be a security problem. Every framework brings you new bugs, and if you load javascript from other servers you don't own, those servers will own you and your users.

Asterisk users need to patch DoS bug

Christian Berger

Asterisk has lots of those bugs

For example if you don't ACK the "200 OK", the call will be left open in a half open stage, and there are ways to leave a call open in the "ringing" state without it closing on a timeout.

Essentially if you have an Asterisk server and you run lots of calls from lots of different (usually broken) devices through it, it _will_ crash eventually. While it is certainly among the best VoIP software packages, it's certainly not good.

20 years to get Amiga Workbench 3.1 update, and only a fortnight to get first patch

Christian Berger

We should take bets...

... what will be maintained longer, Workbench or Windows.

BlackBerry DTEK60: An elegant flagship for grown-ups

Christian Berger

hardware keyboards

"Question. Is that hardware keyboard really, REALLY necessary?"

Well there is a simple test to check if you need a hardware keyboard or not. Look into the distance and focus on an object there. Now take your hand and put it in front of both of your eyes. If you can still see that object, that means you have transparent fingers and a touchscreen keyboard will be right for you.

However if you don't have transparent fingers that means that you'll have to type blindly which means that you need some feedback on how far you were off the centre of the key.

Now you might say that you don't actually type text on your mobile device, or that you can use autocorrect. That's all fine and good unless you actually want to store data on that device securely. To store data on the device you must encrypt it. For such an encryption you need to have some sort of a secret. If you store that secret inside the device it's next to your data so an attacker can get to it relatively easily (may cost a few thousand Euros and involve uncapping chips, but that has been done in the past). So you need to have an external secret. Legally (in many countries) it must not be stored inside of something you "have", but instead something you "know". So you use a passphrase. However typing in such a passphrase quickly requires you to be able to type quickly and precisely. Having autocorrect on your password prompt would be a _huge_ security problem, as autocorrect would remember all those purposefully misspelled words in your passphrase.

Again if you have transparent fingers, you're probably fine with a screen keyboard.

Christian Berger

So the obvious non-answered questions:

Can you root it so you can limit the IP-Addresses it will talk to? (would be a _big_ security improvement)

Can you strip down the operating system to just the things you need? (would be a _big_ security improvement)

So essentially, from the security standpoint this is not better than your average Chinese Android device for 50 Euros.

Paging 1994: Crap encryption still rife in devices

Christian Berger

There are other security concerns

Confidentiality or integrity of the message isn't much of a problem for many areas. However mobile phones have other security problems. The most obvious is that the mobile telephone network has to know where the receiver is. That's a really bad idea in some areas as carrying around a tracking beacon has heavy privacy implications.

Plus there are the obvious practical problems of the pager network having _much_ better coverage than mobile telephony.

ARM: Hold my beer, we'll install patches for your crappy IoT gear for you

Christian Berger

Yes, particularly since...

... instead of having a simple HTTP-Server at the manufacturer which simply serves a fixed signed firmware file, this requires a rather complex system which has to take complicated input from the outside.

So essentially they make a simple process _much_ more complex and believe that this would somehow increase security.

Increasing complexity somehow seems to be a thing for mbed.

It's nearly 2017 and JPEGs, PDFs, font files can hijack your Apple Mac, iPhone, iPad

Christian Berger

Well with Linux it's a bit different...

... it used to be that on Linux or other unixoid operating systems, people tried to avoid those problems. They tried to make code as simple as possible so there is more care going into each and every line of code. (this changes now with the FreeDesktop/systemd people)

Also on Linux you already had those problems and the libraries tend to be fixed already. There's also more of a culture of fixing bugs, which may or may not turn out to be security problems, as a priority. (again apparently except for the systemd FreeDesktop people)

Will rush for New Radio compromise 5G quality?

Christian Berger

Why don't they simply make different standards?

I mean, IoT and Youtube have vastly different requirements. Why are they all trying to stuff it into the same standard, but with incompatible sub standards?

10x faster servers? Pop a CAPI in your dome

Christian Berger

What an unfortunate naming

CAPI already stands for the Common ISDN Application Programming Interface, a rather bad API to talk to your ISDN card. Unfortunately that API was so widespread it even got ported to Linux and depreciated much better APIs. That's one of the reasons why classical ISDN cards on Linux suck.

Basic income after automation? That’s not how capitalism works

Christian Berger

Extrapolating medium term trends

Yes, we still have a surprising amount of work. One reason for this is of course that we can burn through more and more resources. However resources are typically finite. There's only so much oil you can turn into cheap plastic toys.

For areas where the limiting factor is the workforce, we have found other ways to keep more people employed. In engineering we purposefully stop giving students good education so they will get worse and worse. This results in engineers needing exponentially more time to solve problems. Essentially since they have never learned how to actually solve problems, or how other people have solved problems in the past, their solutions often involve creating more problems than they were trying to solve. This causes a chain reaction which can even become critical.

In other areas like management, we are seeing the creation of "bullshit jobs". Jobs which serve no purpose but to create things for people to do. There are companies producing household appliances which have whole departments thinking about how to create an overarching theme of management so they can justify, more or less logically, why they have production plants.

We are currently still doing rather well at wasting work, however I believe it is very naive to think that this can go on for ever.

AI software should be able to register its own patents, law prof argues

Christian Berger

It might be a fatal blow for the patent system

I mean writing a patent isn't a very creative project, you just combine existing ideas and find a new use for them. There is no creativity involved as you can just brute force your way through a finite space of potential patents.

You won't get very novel or useful patents, but that's not the idea behind it, is it?

However you will easily be able to overload the patent system, and nobody will be able to find out if they are infringing on patents. Essentially the whole absurdity of much of the modern patent system would become even more obvious.

The answer to Internet of Things madness? Open source, of course!

Christian Berger

"If I had a Belkin product, the absolute last thing I'd want it to do is communicate with Belkin's cloud service."

Of course, but that's your opinion. In the commercial IT world you are not the customer you are the product. It's always possible to extract more money from you being there if you are the product than if you just pay.

"Belkin" (or any other company of course) believes they have the right to your data or the right to turn the light bulb into a subscription service. This cannot work without a connection to their cloud services. They believe that whatever data they gathered about you, will be valuable eventually... and seriously once you have a live feed of 10 million light bulbs there surely is some sort of fake business model you can come up with that's plausible enough to extract money from investors.

Christian Berger

Actually hire mature programmers

Every programmer goes through a phase where they do not understand that complexity is a huge problem. Therefore they design systems which lay one layer of complexity on top of another, without doing that in a way that actually works towards solving your problem.

So only hire programmers and software architects which have learned that the more lines of code you write and the more boxes you draw on a whiteboard, the worse your code will be.

If you look at todays systems, you'll notice that they don't get popped because of things like buffer overflows, but because someone left a debugging option open over the network which should only have been available over the serial port... and that debug port gives you access to a full fledged operating system.

Location boffins demo satellite-free navigation

Christian Berger

Possible yes, but probably not sensible

I mean of course you can for example use DVB-T signals of a SFN and estimate the distance differences to the individual transmitters. However that requires a receiver that can tune to those frequencies as well as process them in a way to estimate the impulse response.

It's much simpler to just ennumerate the WLAN access points and then go from there. WLAN chipsets are cheap as they only need to work on a comparatively small band.

So in short its one of those things that are fun to try, but probably won't have much practical use in the foreseable future. Just like those "Lifi" setups which transmit data via LED lighting.

'Pork Explosion' flaw splatters Foxconn's Android phones

Christian Berger

Re: Physical Access

" if used properly the phone is WAY more secure than it would be if you rooted it and installed Linux."

I'm sorry, but unless you root your phone you cannot even prevent your vendor from installing new malware via the update feature, or your browser from exposing its security bugs to the web.

Christian Berger

Re: Physical Access

"Concentrate on making the encryption secure"

Actually secure encryption on a mobile device is mostly an illusion. Encryption always requires you to have a secret which is ungessable. However entering a secret is virtually impossible on a touchscreen. Even if you could use a strong passphrase, since your device will be always on, you can often just fish the secret out of RAM.

Storing a secret un a security chip doesn't solve the problem, as there are multiple attacks against chips theese days. Pay-TV companies use the most secure chipcards you can have on a budget, and yet they have in the past regularly broken their competitor systems.

So actually your chances of security are best if you root your device and install some propper Linux OS. Once you have iptables you can enforce actual security by only allowing your device to talk to your server. (big security benefit!) Then use ssh with public key authentication and make the server erase you key regularly so you are forced to rekey.

VMS will be ready to run on x86 in 2019!

Christian Berger

So... it looks as if VMS certainly will outlast Windows. :)

Pocket C.H.I.P. makers go Pro with cloud-linked ARM-flexing module for IoT gizmo builders

Christian Berger

The products are OK to inspired, but the company around it seems to be bad

I have a Pocket Chip which is one of the most interresting mobile devices I've seen in recent years. Unfortunately mine has a severe display problem, plunging me into support hell. For what seems like half a year (got one of the first ones) I'm trying to get a fix or a replacement.

Adding to that is probably the most braindead way of flashing the firmware. It requires you to install Chrome _and_ an extension for accessing the USB. No other way seems to be available.

Linus Torvalds says ARM just doesn't look like beating Intel

Christian Berger

There is virtually no affordable hardware out there

There is virtually no affordable PPC hardware. It kinda moved to the high-end sector with IBM workstations and servers.

Of course you could take the specifications made for PPC and just apply them to ARM. After all there were full specifications for PPC-PCs. They even included bizarre things like the boot sector having to contain some x86 code to display an error message when you run it.

Christian Berger

"As an appetizer: How about this google.... for hardware to be certified for use with the google apps, all of the drivers must be open source."

That's essentially a business decision. Google has little interest in hardware and software being open to competitors. Every device that gets rooted and runs non-Google software means less revenue to Google. In the past, they simply may not have cared, but they will more and more.

Also Google is a platform provider here, and their actual customers want DRM and they want it to be impossible to copy their crappy Apps.

There's a third point and that is that SoC manufacturers like vendor lock-ins. They want to make it as hard was possible to change hardware. This is why SoC hardware typically is as obscure as possible.

Christian Berger

The server business might change that

As offering a server which can only run one operating system is kinda pointless, they really need a common platform.

Christian Berger

Same goes for virtually all "embedded plattforms"

For example for Windows CE you also got the source license, and if you didn't you at least got the "Board Support Package" from your SoC vendor.

All operating systems in the embedded world are highly customizable. It's nothing special to Linux.

Crooks and kids (not scary spies paid by govt overlords) are behind most breaches

Christian Berger

If it was about paying

"I think TalkTalk deciding that they didn't want to pay for any serious investment in IT security infrastructure was."

Problems in IT security don't happen because of a lack of money, but because people decide to do incredibly stupid things.They happen because people choose to go the complex route instead of the simple and elegant one. They happen when someone creates a complex web GUI using multiple highly complex frameworks, just to do something a couple of shell scripts could have done, accessed via ssh.

AT&T pilots dedicated IoT mobile network

Christian Berger

Re: If your IoT things...

"1GB is nothing. Think of all the audio which needs to be uploaded to the "cloud" for voice recognition."

The standard for sending compressed voice to a central server is 4800 bits per second. 600 Bytes per second. So a Gigabyte will last for 20.7 days of uninterrupted voice.

(Those 4800 bits are not meant to be turned back into voice, but instead the output of the first stage of the voice recognition.)

‘Andromeda’ will be Google’s Windows NT

Christian Berger

So it'll be yet anothe attempt of OOP people to design an operating system

So far the results were fairly mixed. Windows, probably the most famous system based on OOP principles, has changed so often into so many directions, you can hardly see the original idea of objects (Windows and GUI elements) passing around messages (events).

BeOS seems to have been rather decent, but thanks to it being closed source and rather incompatible, it didn't actually have a chance.

My guess, and I actually hope that people will proof me wrong, is that it'll be just a mess like Android. A system far to complex to be maintained without the help of Google. A system that offers so little useful functionality under a coat of shiny stuff. A system that sees locking out the user as a security feature. Much of this won't be because of the system design itself, but because of the people such a design will attract.

However there is one really good thing that could come out of this. It could attract the systemd/freedesktop people away from Linux.

True man-in-the-middle: Transmitting logins through the human body

Christian Berger

Actually there is a way to make this OK

First of all Sun has already done this in the 1990s:

http://www.javaworld.com/article/2076641/learn-java/an-introduction-to-the-java-ring.html

What you can do to actually make this moderately secure is to have a public key authentication scheme. Just have a private key on the device near your body and the public key wherever you want to authorize. This works great for ssh and would eliminate passwords in the browser once browser manufacturers would get off their asses and make TLS client authentication usable.