Posts by Christian Berger 4850 publicly visible posts • joined 9 Mar 2007
...how you can sell simple exponential curve fitting as a feature. It seems to me like that's a feature a single person would develop in an afternoon.
There are even Youtube videos on how to do it:
https://www.youtube.com/watch?v=ta4MZS7w2VA
I'm not very good at math, but for me the hardest thing to understand is the accent.
"Since that burglary in the street last week, we've all learnt that locks are no longer able to securely defend our homes. So we have all done away with locks on all windows and doors."
No, that's not the point I'm trying to make. My point is that, just because you have a room you can "lock securely" you shouldn't just let any stranger into your home.
The sandboxes on mobile operating systems are there to create the illusion that you can just run any random software you download from non-trustworthy sources. They provide an illusion of security, on which people depend on. People do install "apps" without checking where they come from, relying on sandboxes somehow controlling those apps. People actually believe they can just install any app without their system being utterly compromised.
If you instead just make it clear that you should never install untrusted applications, and have safeguards against doing so, you can achieve actual security. Additional measures can be sensible, if the additional code is small enough to not cause any security problems by itself.
a) Your GSM would of course run on a separate processor with only a well defined and simple interface to your main computer. Think of AT-Commands over a serial interface. All GSM stacks support that out of the box.
b) Memory protection might be one of the few things to add as a feature, however it can only protect you from mistakes. You will never ever be able to trust third party applications. That's what I mean with "misunderstanding sandboxes". Since Rowhammer(JS) we have learned that sandboxes simply are not able to contain malware securely. However there are alternatives. One would be to use the handset as a simple terminal for a server based service. Those protocols can be extremely simple. Or if you desperately need local software that cannot be audited, you can use a separate second computer inside your handset. This may sound absurd at first, but it's precisely what the SIM is doing for several decades now.
The current way of doing things, where you have an operating system running apps from untrusted sources, hoping you can somehow secure them by sand boxing simply does not work.
It's probably best to have a small memory card installed inside your handset which does contain the operating system and additional programs you trust. This card then is hardware protected to only be read from the handset. If you want to install additional software or updates, you need to take it out, place it into a different device and access it. The same can be done with a hardware switch for which you need to open the device. If an attacker already has physical access to a device, there's virtually nothing you can do to secure it anyhow. (at least not on a size budget compatible with a mobile phone)
After all most of the security problems of Android come from its complexity and its misunderstanding of what sandboxes can do.
Building a touch ready GUI toolkit as well as a simple interface for interfacing software with it. Essentially this should have roughly the complexity of TCL/TK, if you base it on the Linux kernel.
If you want to go further, you can even take an embedded kernel like the Free/OpenRTOS kernel. It's much smaller and needs very little RAM. With that you could get a design team together and make a tiny little CPU with roughly the complexity of a 6520 or a Z80, but modern manufacturing processes so it'll be fast. Such a simple CPU would be small enough to be understood by a single person so it can be audited easily.
Again, dig deeper and you'll find that that war most likely was caused by someone US/USSR friendly coming to power being backed by said superpower... or if you dig deeper you will find things like the Sykes-Picot Agreement https://en.wikipedia.org/wiki/Sykes%E2%80%93Picot_Agreement causing territorial disputes, dividing cultures and forcing artificial borders.
History isn't "good vs evil". History is more complex. I do not believe violence is not a way to solve complex problems. You cannot bomb for justice.
"Didn't the Taliban of Afghanistan commit acts of atrocity BEFORE we came storming in, though?"
https://en.wikipedia.org/wiki/Taliban
"The Taliban movement traces its origin to the Pakistani-trained and US-sponsored mujahideen in northern Pakistan, a loosely linked confederation of Islamist militias fighting the Soviets during the Soviet–Afghan War."
You know history didn't start in 2001.
Look into Irak, look into Afghanistan. We already have big nasty wars destabilizing the entire world.
It's hard to believe, but before US and Russian interventions decades ago, those countries used to be rather peacefull and free.
Fighting injustice with injustice is not a way to go, and using drones to bomb places is hard to be seen as something that is justified or even a "fair fight".
So a colour gradient kinda makes sense. After all many companies have either colour gradients or rainbows in their logos. Just think about Apple which is a rainbow. (I believe it was in a circle, but I haven't seen it for years)
If anything it's more of a testament of lazyness among designers in that area.
There are people in the telco business which still believe that their networks are somehow sacred and that nobody with a bad intention can get in there. That's why some telcos will happily provide you with the username of the PPPoE session the user is using on the first invite.
I mean seriously, an engineer not being able to program probably isn't to smart. If you are interested in technology, you should at least have a bit of knowledge in all fields. I mean I studied electronics and even I calculated the gear ratio of an epicyclic gearing. I surely don't know enough to do anything very useful in those fields of engineering, but I know enough to talk to another engineer.
Programming is not even something hard, it's just being made hard by use of improper tools.
http://www.nordbayern.de/region/erlangen/erlangen-siemens-healthcare-wird-zu-healthineers-1.5178507
So this gives us some context. The party happened in Erlangen in the "Röthelheimpark" and was apparently televised around the world. Ohh and they are going to build a new building housing 1000 employees.
A quote from the chairman of the management, Bernd Montag, "Our new brand is a courageous signal for our standards and expresses our self-image as an enterprise that's close to the people".
According to the article "many employees liked the change". 5000 employees were there, so "many" could also be a tiny percentage. :) On the other hand, many of those people have worked (nearly) their whole life for (companies like) Siemens. They don't know any different. Siemens has gradually turned into a "bank" since the early 1990s with bean counters replacing physicists in the management, so most of the current employees grew up in a world where things like "quality gates" are far more important than good engineering. They grew up in a world where people feel entitled to ridiculously high salaries, despite of having no idea what they are doing. They probably think such rebrandings are normal.
Honestly "imagineer" at Disney probably is more exciting than any "engineering" job at Siemens you can get. Essentially most jobs are about getting bugs out of outsourced code you could have written in a fraction of the time it takes to debug it.
Siemens Healthcare actually used to be one of the areas where engineers actually had to solve hard problems. I mean you need to be able to do advanced mathematics to do a CT scan.
I mean I always wonder where the really good people work. The people who have understood how to solve problems.
At least now I know they don't work for such companies. It's good to hear that they are not dedicating their minds on how to kill people more efficiently. I cannot tell whether that's because of choice or because they have been driven out by really bad management, but at least they don't seem to work there.
They apparently failed to understand that they are tied to the PC-platform. People want x86 because it comes with a whole ecosystem of hardware that's well standardized. You have a wide variety of operating systems available, and it doesn't matter if your PC was made by company A or B.
This could have lead to a new class of devices, connected Palmtops. Essentially spiritual successors of the Nokia Communicators, but with x86/PC hardware.
However Intel promoted bog standard Android devices. Exactly the kind of device Intel has a great disadvantage at, since Android is ARM country. Many applications come with their own ARM binaries to actually do stuff. Those need to be emulated. In effect the user will have a device which looks and feels precisely the same as cheaper ARM-based competitors. Having closed boot loaders also eliminates all the remaining advantages.
Running your own NTP-server is not particularly hard. Essentially you buy a box with an antenna which then acts as an NTP-server without any connection to the Internet. It can get it's time from various sources like GPS/Glonas or your local long wave time transmitter. You can even patch some of them into your local time infrastructure.
We have seen that with projects like Kamailio (formerly known as SIP Express Router) which try to solve a simple problem and end up being complex monsters.
What we'd need is simple standards. They don't need to be "perfect", but they have to be good enough to make the things simple everyone needs.
The Windows 10 upgrade ads are just another bit of the needless complexity you get when using Windows, or increasingly systems designed by "Freedesktop/systemd" people.
That's why you should always try to cut down your systems as far as possible. Every feature you don't need is a potential bug, even though I'm sure Microsoft considers the Windows 10 ad screens an essential feature. It's just like the OpenSSL "keep alive" feature.
I mean in the past, if you wanted to distribute things like opening themes to cartoon shows, you'd do it on your website. Usually nobody would care, but you always had the fear that some big copyright holder would sue you into oblivion... not a good prospect for someone having a small private webpage.
Now with services like Youtube you can simply do that. At worst Google will take it down, but there is no personal risk involved in it. That's why they got so popular. If we'd have a saner approach to copyright, (i.e. allowing personal use and citing things on the Internet, as well as making DRM illegal) we'd have a much more distributed Internet again.
If you allow DRM to exist, large parts of your society will have to make copyright violations. Either by directly pirating the content or by breaking the DRM.
Essentially this allows regimes to pick people they don't like, claim they committed copyright violations (which is probably true) and jail them.
First of all a "bare bones" Android which is of course rooted and has at least iptables on it, so you can lock it down to not talk to anything else than your company servers.
Second it would need a decent keyboard. Not just one of those 3-row Blackberry thingies, but a full 4-5 row keyboard in a clamshell case.
Then you can just use those mobile devices as a terminal to access your terminal server or desktop computer (either via RDP or VNC). That way you could immediately use the software you already have and make it available on your mobile device.
Of course the next step would be a sort of "modified screenreader" which would "parse" GUIs and re-arrange the elements so you can use them more easily on a small screen.
Actually most languages from that time were, what Microsoft now calls "managed". It's simply because back in the day language developers looked at what programmers had difficulties with... and addressed those problems. One of the main problems programmers are still having was pointers. So it's just logical to remove or de-fang those. For systems programmers there still was assembler or C.
It's only in the 1980s that, with things like the emergence of C++, we look at languages and deliberately create more difficulties.
Essentially Mitel already contained an accumulation of products which just don't work very well. They speak very peculiar dialects of SIP which are sometimes just plain wrong. Adding to that it seems as if you can only get those installed by "certified" "technicians" which typically means that you get a salesperson with nothing more than a in depth knowledge of the marketing material.
Now add the typical business model of a hedge fund to it, and you'll get a company essentially stopping all bug fixing to change marketing related things. The code probably will be bad enough that even changing "Polycom" to "Mitel" in the strings will change the memory enough layout so the buggy code won't work any more.
"Google is also trying to make the browser an OS - just, it will also have all the issues an OS has."
Well the problem is that browsers are horribly badly designed OSes. That's why browsers are so much more complex than actual operating systems. One might argue that this is because modern OSes follow the Unix philosophy while modern browsers follow the Stroustroup OOP philosophy.
... as this makes browsers more complex and therefore lowers the chances of a new browser vendor coming up. This keeps the current oligopoly safe.
Just imagine there being a FOSS browser which actually does what its users want and doesn't just make the GUI worse with every version. Mozilla would be broke within a couple of years.
It's good to see that Microsoft finally tries to slay the dragon's head that's Flash, however it's ugly replacement heads have already grown in the form of miss used Javascript.
We already have lots of web sites that require _megabytes_ of Javascript to run just to display a quasi-static page.
The problem is that, during the browser wars days, there was the idiotic idea that you should be able to design a web page, just like you could design what is on a piece of paper. This has lead to thousands of features which allow you to specify how a page should look like instead of just specifying your content and letting the browser decide. Today with different screen sizes this adds the added complexity of designers having to "respond" to different screen sizes.
"I have a stockpile of incandescents because I have dimmer switches and most LED and CFL don't like working with dimmers."
Actually at least the simpler LED lamps should work fine with dimmers. It's just that companies selling such lamps usually don't know to much about electronics, so they assume they don't work with dimmers. Plus there's, in theory, a wide variety of devices called dimmers. Usually you have something that turns on the power for small amounts of time. Those are made with Thyristors. However other dimmers might use a variable transformer as that might have been cheaper at one point in time. So in effect you'd have lots of testing to do for a minority of users.
Even the cheapest way to connect those LEDs to the mains is a good start, just using a rectifier and many LEDs in series gives you rather good efficiency. That's what is done in those "filament" LEDs.
Using switch mode constant current supplies is hard to get much more efficient than that. Considering that they are also more complex and therefore fail much more often, it might not be worth it energy wise.
"Those two requests are contradictory. Installing few apps and having little functionality in the OS."
Actually not. You can reach that by having few, but orthogonal features, something many modern developers don't seem to understand. The functionality you get from apps today could also be implemented by a simple "terminal" standard.
The only problem would be games... but there's a whole group of people they don't want to have that. Those want to get information from "online services", they want to communicate, and they don't want to worry what happens if their device gets stolen.
Modern "smartphones" are designed for a business case that is incompatible with security. They are built to sell apps.
The problem with this is rather simple, apps come from a number of untrustable sources, usually only in binary form, and some even deliberately malicious. The proposed solutions for this problem are as follows:
1. An Appstore with censorship: In theory some Authority determines what software may go in, and what software must not go in. In that theory there is no other way to install software. In reality commercial pressures on that Authority mean that malware (by some standards) may pass, while perfectly harmless software gets filtered out as it expresses different opinions. So a large amount of people root or jailbreak their devices to get at least some sort of control over it. Since that wasn't seen as a possibility in the security concept, there are no other meaningful precautions.
2. Sandboxing: In theory you would simply sandbox an application and restrict it's abilities that way. Unfortunately that doesn't work. Any app can just refuse to run if it doesn't get the access it wants. Since the user wants to run that app, those rights will be granted. Even if you solve that problem by providing "fake rights" to that app, sandboxes are by no means secure. With Rowhammer we have learned that even allowing memory accesses to restricted areas can lead to sandbox breakouts.
So what can we do against it?
First of all we need to ditch the idea of installing random software from some app-designer. Installing an app should be something rare, not something you do because a billboard tells you to do. Maybe it should even only be possible by holding down some hardware button inside of the device.
Then we need to greatly simplify those operating systems. Those systems should be roughly at the same level of complexity of Windows 3.1 or a task switching DOS. That level of complexity still can be managed and you might even get to a point where a typical user will not notice a bug. Then you can get rid of the idea that software updates have to be something that has to be simple.
The main problem is that people want web browsers and that web standards are already to complex and are on the way of becoming even more complex. Today a web browser is probably the most complex piece of software you have. Often it's more complex than the operating system kernel it runs on.
"Free to use isn't the same as cost free, and without funding who's going to pay their bills? This isn't necessarily a good way of monetising their business, but I can't see a paid for service working commercially for IFTTT either."
Well but with those startups we are talking about perhaps 100-200k USD a year for the actual operational and development costs, essentially such services can be done by a mildly competent programmer sitting in a room... what's expensive are the people trying to turn such a service into a business. They are the ones talking to investors and advertisers. They are the ones doing marketing campaigns to promote the service... which at best helps raising the price you sell your company for.
Just like Twitter, such a service could easily be done donation based. It's the desire to turn it into a profitable company that makes it uneconomical.
"It'll be decades before the first 'perfectly secure' device *actually* exists."
Actually we are moving away from secure devices, as such devices become more and more complex. Often that complexity is completely unnecessary.
Only when we learn how to make such devices as simple as possible, we will get something that remotely resembles a secure device.
Most of those things are perfectly well examples for when to use VNC. For example having VNC access to a GUI running on a device saves you from having special client software which will be useless in a couple of years. Since it's a comparatively simple protocol, there are multiple implementations and most platforms have at least one to choose from. Since it's trivial compared to HTML/CSS/JS it's likely to have _much_ less implementation errors. It probably would even be a good alternative for web services.
The problem here is that some people put such services on the Internet without any authentication.
I mean most larger organisations have such projects which never go anywhere. Often they were ill-fated from the start. There's just this weird idea that somehow companies don't have to have the level of transparency we expect from governmental departments which keeps us from learning about those mistakes.
...the only remarkable product Acer had in recent years was their netbook series. If I was Acer I'd focus on that and try to explore the market.
However what Acer did was to market it towards consumers which are now fleeing towards tablets. If Acer was to bring out a version of their netbooks for professionals, they'd have a rather lucrative niche.
So they compete with identical products on identical markets. The only thing that could count would be reputation, but that's never been particularly good with Acer.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
