* Posts by David Tonhofer

23 publicly visible posts • joined 10 Mar 2007

Dutch transit card crippled by multihacks

David Tonhofer Silver badge

First poster gets it wrong

> This is the main problem of security through obfuscation.. as there are no external checks for security, security tend to be sloppy at best.

Possibly, but not necessarily. Of course, "roll your own cryptosystem" is to be avoided as a sign of the typical cowboy coder stance.

> If you start shouting "open source" as a mantra, please consider that if everyone knows what you are doing, someone will eventually crack your public system, and chances are he won't tell you....

Possibly, but not necessarily. If everyone knows that I keep my rare pr0n in bank safe 12 at location X, there will still be nobody who can get at it.

> So companies should probably use public and secure algorithms and then, not tell anyone witch ones they are using. That is secure... but illegal (as you must say you are using XXX open source code..)

It's not "illegal", it's breach of contract. And then again, you may just add "contains OpenSSL code licensed by the Apache software foundation", which is sufficient.

The larger problem being of course, that your _code_ is the LEAST problematic aspect of keeping your system secure (how do you "crack" my AES implementation? fat chance here),.

iPhone jailbreak tools updated to open firmware 1.1.4

David Tonhofer Silver badge

@Joe K

"instead of making sure the device is bugfree and finalised (like EVERY other pre-flash device)"

That's because these "devices" where basically a couple of mechanical widgets and some wire, encased in bakelite.

Every other device since then has neither been bugfree nor finalised.

"make the ROM a flash chip. Morons."

The only moron is you. Hopefully you are not a hired engineer.

'Tofu' license pits open source against meat

David Tonhofer Silver badge
Dead Vulture

Your license, should you accept it....

Ok, new levels of randomness from the Internet. Whatever.

But the title of this little Reg' Article is wrong as this is not "Open Source" at all. Let's check the somewhat "papal" definition at http://www.opensource.org/docs/osd. It says:

5. No Discrimination Against Persons or Groups: The license must not discriminate against any person or group of persons.

And there you go.

Database gurus slammed for Google post

David Tonhofer Silver badge
Thumb Up

Absolutely something for "semi-coherent computing"


Librarians challenge Web 2.0 youf-work myths

David Tonhofer Silver badge

Urrrr....context, pretty please?

And we cite: "...the report notes while the majority see the benefits, concerns over data security and governance could slow the progress of Web 2.0 development in enterprises"

"I see the benefits" is probably related to the beloved "I have a vision" and the less eloquent "Mmm... mushrooms!", often heard in a strategic meeting or some other dark place in the middle of the night.

Please do say: What exactly _are_ those apparently self-evident benefits? What exactly _is_ that Web 2.0? We demand to know!

Viva VBA - alas

David Tonhofer Silver badge

@B stands for Basic.

"And lets not forget neither Java or the bastard rip off javascript are noted for their speed"

Yes, yes. Java != Javascript, like, totally. Discussions about the speed of Java have passed their "best before" date so long ago that they redshifted right out of anyone's event horizon who actually cares. Really, I would rather you discussed the politics of Cromwell.

Did I forget something?

Oh yeah, I like Perl.

Her Light Materials, Volume I

David Tonhofer Silver badge

So say we all.

...the "sweary recluse" is really the dog's bollocks. I want to see that kind of stuff in IEEE Software!!

Mashups haunted by past experience

David Tonhofer Silver badge

@The Future

"Removing people is the best way to reduce IT costs and making it possible for people to create their own apps is the best way to do this."

But it's simply not going to happen. Parametrization - yes. Creating apps - no. The last 30 years have conclusively shown that the complexity of the application does not go away if a new development tool comes along. Trained people may be able to develop faster but untrained ones will still be unable to develop.

Remember those ads in the 80's mags? "Mr. [mgt guy] has gone Code Free with his new [some tool]. He swears he will never go back."

Mr. [mgt guy] was part of the problem.

Personal data for 650,000 customers vanishes into thin air

David Tonhofer Silver badge

@Steve Keller

Well said sir, but please note that the "network administrator" is NOT, repeat NOT the company security officer!

"There are no standards for real security of data"

Of course there are. Lots. And Lots. And Lots. From high-level recommendations like ISO-17799 or those here: http://csrc.nist.gov/publications/PubsSPs.html down to detailed in-company program instructions.

"..because all they understand is computer security and not physical security and it takes an understanding of both to provide effective security."

I agree with the integration work at least. Said glibly, the problem is management who things that "they" are able to implement good company-wide security as "they" got rid of the worm that came in on the notebook last week. Wrong, wrong, wrong. Anyway, the point is - companies need personnel that is dedicated to the task of security while still being integrated in the day-to-day work to be able to make well-informed implementation decisions. They need to know about networking. They need to know about what's around networking. They need management support. And they need time.

But suddenly -- economics! It is very difficult to bill for such "additional" services - exploitation costs become too high, time for the project is too short, the learing curve too steep, management is either dismissive or becomes catatonic as security hoovers up a squalid percentage of the fixed-cost contract :-( At the end of the day, your identity information may not prove to be that important, really. :-((

"Perhaps that's why I'm on a computer security forum trying to learn but i rarely if ever see a computer security person on a physical security forum"

I don't know about that. One person hanging on a security forum does not a one-way knowledge transfer make.

And yeah, those guys goofed up when not encrypting the tapes. Maybe they wanted to do it "soon" and it's been on the to-do list for ages? I know the problem. (but I managed to encrypt our tapes with the underhand trick of 'unpaid sunday work')

Ok, I'm off, gotta check the servers.

Microsoft puts dusty, old Office code on web

David Tonhofer Silver badge

What SHOULD Microsoft have done?

... JUST ... DIE .... ALREADY ...

(makes swinging motions with a flamethrower)

US-Iranian naval clash: Radio trolls probably to blame

David Tonhofer Silver badge
Thumb Up

@Get your facts straight

> including dropping boxes in front of a ship.


Seriously, here's an excellent complement to the above article:


It says:

-- And when I say "speedboat," folks, I'm not talking about a small frigate, or even something the size of PT 109. I'm talking about the kind of boat you see on American lakes every summer pulling sunburned water skiers around. These Iranian boats are typically armed with a single high caliber machine gun, which is, to put it placidly, a darn sight less weaponry than U.S. combatant ships carry. It sounds to me like the "white box-like objects" the speedboats dropped into the water were Little Rascals technology simulations of mines, painted a bright color for the express purpose of ensuring the Americans saw them and steered around them.

Dengue fever threatens continental US

David Tonhofer Silver badge

"Dr Paul Reiter"

"In truth, the principal determinants of transmission of malaria and many other mosquito-borne diseases are politics, economics and human activities."

Oh shit! A self-evident truth at six o'clock!

Come clear, AC - you just wanted to reaffirm your manly stance against Climate Change, right?

IBM to make massive Ubuntu server play?

David Tonhofer Silver badge
Gates Horns


...the audio of the pro-Exchange maniacal rant.

US switches off the incandescent lightbulb

David Tonhofer Silver badge
Thumb Down

Oh my..

And this from the country where a few milligram of mercury let loose on the Unsuspecting Children(tm) can lead to a class action lawsuit. Did lawyers lobby for this too or what?

Note that this saves a bit more than 1/1000th of the annual US CO_2 emission; but are have the production of the light bulbs and the production of the production lines of the light bulbs been accounted for?

SaveTheInterneters to save the internet from Comcast

David Tonhofer Silver badge


This is politicis (thus a he said/she said thing), but it can be saved by numbers! Do we have numbers? We need numbers!!!

Attacking multicore CPUs

David Tonhofer Silver badge

Oh. My. God.

> As Dijkstra would point out (although not quite in the same words), these problems arise from incorrect design, and can be fixed accordingly by making the design correct.

Attention! Reality intrusion field on unknown transdimensional frequency!

> The time and effort wasted here would better be spent on either coming up with something new and/or actually finding and fixing remaining instances of such problems.

Captain! An agressive knowitall is decloaking right in front of us.

Evasive manoeuvers!! Fire missiles!

Microsoft spins standards defeat into victory

David Tonhofer Silver badge

I suspect "capitalism" is like "freedom", it can be had any way you want.

Don, either:

- you are not exactly knowledgeable about software


- you have information about how software is built that eludes me, like, totally.

Please explain:

- Why you are talking about MS being forced to "give away its software" while this is actually all about opening up interface definitions.

- How it is that, while "Microsoft invests enormous time and resources into the R&D for their Office software" (and I thought they were all just chilling at the Coke machine), the Open Source community somehow unfairly profits because it can "copy [the Office software] on the cheap". You do know that warez is different from work-alike software written from scratch?

- How you know that ODF and Open Office are "entirely based on the inspection and reverse engineering of Microsoft Office and its basic functionality"? Same assembler code in both, right?

- Why "banning MS formats" is somehow "adding insult to injury". Formats must be open, well documented and have clear semantics (see other posters for "not well documented and unclear semantics") otherwise they are dangerous now and probably useless twenty years down the road. Don't tell me your company is keeping Word Documents for the long run?

- Why having the biggest monopolist in town play nice "is undermining the incentives for creating new software" and akin to "punishement"?

Still, I gracefully concede your bashing thing.

Mars rovers roving again, for now

David Tonhofer Silver badge


Robert, "300 watts in one hour" is the derivative of energy production, or in other words, Joule per second per second, J/s^2, an acceleration. To be used in phrases like "In the first instants of the Chernobyl accident, the reactor developed a high J/s^2, going from 0 to something fierce in half a second".

We want to hear the J/s unit, or Watt, which is what is also written on lightbulbs. Or simply Joule if we want to hear about stored energy.

Boffins bend space and time to measure neutron star

David Tonhofer Silver badge

Hrmp! A neutron star is not made of neutrons only

Here ya go:


Why is Hotmail so bad at spam?

David Tonhofer Silver badge

And this nearly a decade after "Internets" became a household word

As read somewhere far above:

>> If people looked after their email addresses better and were more careful

>> about who they gave it out to there would be much less of a problem. It is all

>> very well blaming Hotmail for the problem but if you don't want spam look after

>> your email.

Every time someone writes a phrase like this, God kills a bunch of kittens.

Please, think of the kittens!!

Vista – End of the Dream?

David Tonhofer Silver badge


> And why do you think that is? Apple have half a

> dozen systems to make their software compatible

> with. Microsoft have the other billion.

And of course, it's not Microsoft who writes the drivers, it's the respective producers. HTH.

Safari zero-day exploit nets $10,000 prize

David Tonhofer Silver badge

And this on a sunny Saturday afternoon.

a) Do we really need to read stories that sound as if they had been written by the RNC or Bill O'Reilly himself? "tired claims from Apple and its many lackeys" ... BARF!

b) "Remotely gain full user rights to the hacked machine" and "client-side javascript error that executed arbitrary code when Safari visited a booby-trapped website". I surmise if the user runs his browser as "root"? Or has the browser been made setuid root now? LAME!! If not, provide more information. NOW!

c) Comments. What's an arbitrary dumb rant againts Linux doing in the comment section of an article about compromising Macs? TRIPLE FAIL!!!

Full disclosure: I don't have any Macs around me.

Driving on the right side of the code

David Tonhofer Silver badge

The BIST is not enough

It's late, and the bottle is dangerously close to half-empty so let's rant.

You *can* get software with "built-in self tests", if you lay down the dollars but what do these do? I have never done hardware design but I do think that hardware has the advantages over software of far smaller state space and far higher locality (I'm not talking about fine-tuning impedances and propagation delays here). So you can probably test the various hardware subelements in the same way that you would run the test cases on a library of mostly side-effect free functions. But no BIST procedure is going to give you any assurance about a program that interacts with the user, slurps in third-party classes, runs on a flaky OS, talks over the network, gets stuff from a potentially bad database etc. What might save your program, apart from clean interfaces and clean code, is: well-though out exception handling, software rejuvenation (throwing away you run-time datastructures and starting from scratch if an error occurs), lots of runtime precondition and postcondition checking (through 'assert' for those who don't write in Eiffel). This will keep you on a meaningful trajectory through those parts of the state space where users are not being surprised.

Regarding software testing I never could make friends with "writing tests before the actual function". I have noticed that I you write the test code _alongside_ (not before, not after) your actual code, you really think differently about the interfaces your classes present to the outer world. You try to keep them neat and clean so that you understand them yourself. You leave out any unneeded complexity and generality because you _will_ have to test it, which is a pain. You write in fine-grained modular fashion as otherwise there is no way your code and your tests can properly interact. And last but not least, you put yourself into the place of the caller of your code, which quickly shows where confusions, unstated assumptions and ambiguous requirements lurk. Which makes you add more asserts.