Re: Intel's new CEO check list
If that were the case, server programs would not be written with Java, PHP and monstrous frameworks. Java needs 2x the memory of an equivalent ObjectPascal program.
66 posts • joined 6 Jan 2021
That would be the RPI 2. Good enough to
+ store your office files
+ store your code
+ run your personal web server
+ run an efficient discussion board (not PHPBB !)
+ run tinyproxy to filter out the tracker stuff
+ run an XMPP server for your self-controlled messenger
+ run the sn USENET server for your self-controlled discussion board
+ compile code using tinycc
It consumes 3Watts and costs less than 30 Euros once. Use ddnss as a dynDNS proxy service.
Merkel and her ilk likes to talk of "Europe together", but when Alcatel, Nokia or Siemens are in trouble due to state-financed foreign competition, she does exactly nothing. Because the auto guys warned her not to offend their biggest customer, the Chinese.
The Chinese have by now established one-sided contracts, under which the Chinese have all the advantages and European companies are hamstrung. We have limited access to China and must transfer technology, but the Chinese can directly import their electronics from Shenzen to every little town in the EU.
Similarly, the Americans ignore GDPR and write up reams of legalese to enable this. European companies are fined by data protection officers if they attempt just 1/10th of the American data collection efforts.
The Russians by now have a stronger IT industry than the entire EU: Yandex, mail.ru, ELBRUS.
For a long time, the UK nurtured the excellent ICL VME mainframe computers (now part of Fujitsu). As industrial policy has now become totally uncool, this very secure approach is left to die, it seems.
Now, what if an "IT Airbus" were set up to compete with the industrial policy of America (DARPA, DoD) and China (Huawei and all the other megacorps) ?
We have some great brands such as Nixdorf, Bull, ICL and Olivetti which could be rejuvenated. There are plenty of great technologies and alternative approaches to be pursued. Oberon, Occam, Transputers, Eiffel, CompCert, SeL4 and quite a few more.
The Chinese managed to stand up a group of financiers-entrepreneurs (such as Jack Ma and Zu Rengfei) out of a population of dirt-poor peasants, workers, soldiers and apparatchiks in a matter of 30 years. Europe could do the same, if we only woke up to the challenge...
Europe is too much focused on regulation and not enough on CREATION. Most big companies in Europe date to the late 1800s, when there was a boom in the stock exchanges and when many new public stock companies were created.
Modern day euro politicians only know how to slice the cake and none of them knows how to bake a new one. They seem to not realize that innovation does not come from 100 year old corporations or by direct government action.
Airbus worked out quite nicely and it could work also for the world of computers, software and communication. If we only had politicians like Strauss, who could oversee the creation of something competitive and useful.
There would be plenty of opportunities in modern day computing, such as unhackable computers, privacy-respecting software/systems, sovereign computing and so on. But alas, modern day euro politicians are only strong on ego and otherwise mostly incompetent.
Defence ministers who never soldiered, health ministers who were bankers, teachers, lawyers.
+ Teres Laptop running Linux from OLIMEX out of Bulgaria. Made by Yourself.
+ RPI 2 as a small, energy efficient server for secure worldwide file serving, XMPP server, source code storage, personal web server, firewall and much more
+ NextCloud, OnlyOffice run in your own/your neighborhoods data center
+ LibreOffice running on an RPI 2 instead of resource burning MS Office
+ XMPP/Jabber chat system. No police ID for innocents and no telephone list sharing required. Telephone numbers HAVE NOTHING TO DO with chat systems ! (except if you are in bed with snoopers international)
+ USENET/sn as a NNTP server for your community's discussion needs
Remember: the internet existed well before the corporations and their trillions of dollars invaded it. It continues to exist quite nicely without them and their government being in control !
The kneejerk "free market economist" reaction is to browse for the cheapest cloud vendor, sign up and upload decades of valuable data to an American-controlled data center. Three days later, the Americans will download the data (in total secrecy and with the justification of "terror Inspection") and then hand it over to your American competitor.
I have to admit though, that the Americans are even more wicked than the Greeks - they make the Trojans pay for the horse !
In many if not most cases an insecure browser JS program will not create security issues, as one must trust the server side anyway.
But if you run JS on the servers side, you better have solid defensive measures or you will be hacked sooner or later. Strong typing is one proven security measure.
You can also run Rust on both śerver and client.
The lack of variable and function parameter type checking is the main reason for the insecurity of real world PHP programs. The idea that programmers can be extremely lazy and do not even have to think about the type of variables has been proven insecure by PHP.
The fact that they have other hairraising stuff such as "all HTTP GET parameters become global PHP variables" does introduce further exploit opportunities.
Then they interpret any string as you "might" want to really have this done then and now. One more mad idea.
So - PHP is not type safe and its memory safety is superficial as they have no proper type system to speak of. Their other crazy ideas make matters worse, that is true.
The Linux kernel is now in the order of 10s of millions of lines of code. A single bug in this code will typically hand the attacker full control of the computer/embedded system.
This practice should be stopped and memory safe code should be used in the kernel as much as possible. Or the kernel should be as minimal as possible and also compartmentalized, like SeL4.
Rust-based kernels (which will of course include some unsafe sections) look like a very promising approach.
You might have a look at this microkernel. It is actively developed and in use for security critical applications. Hensoldt (ex Airbus Germany Systems) continues development and provides commercial support.
In the last 10 years, the Americans (General Dynamics, DARPA and others) developed several projects based on SeL4.
SeL4 is proven to be memory safe, which was a big effort as it is coded in C. For example, a bug in the tcp stack does not open the entire system, but just the tcp stack. With Linux, Unix or Windows, a single kernel bug hands the crown jewels to the attacker.
Hensoldt now also uses Rust for application development.
1.) Supply chain attacks happen then and now. But at probably 1000th the frequency of exploitable programming errors being discovered.
2.) Just because supply chain attacks (in this case the compiler) are possible, does NOT mean we can lay back and ignore the security problems that come from human programming errors.
3.) As your organizations systems-fortress should have multiple layers of defence; the firewall log analyzer/the security team should detect improper traffic which exfiltrates data.
Memory safe programs are one layer of security and arguably one of the most important ones.
This is the point of the Rust language:
+ no undetected buffer index errors (underflows or overflows)
+ no use after free
+ no double free
+ no multithreaded data races
The rust compiler and the generated code will ensure this. C does NOTHING of the like. Man-coded programs typically have these bugs, even if the software engineer is a seasoned expert. That includes the Linux kernel and exploits in gethostbyname() and similar. HPUX ping of death and a plethora of C based exploits in the Windows kernel.
Regarding efficiency of Rust
+ stack allocation
+ destructors, RAII
+ value arrays
+soft realtime capable heap memory using refcounting
Java and C# are somewhat memory safe, but not as efficient and realtime capable as Rust.
To achieve cyber security, software engineers certainly need to apply other state of the art techniques such as properly defined interfaces (using EBNF) and semantic checks. All information flowing into a system from the outside must be thoroughly checked for syntax, grammar and semantic correctness. Any failure must lead to a rejection of the message. KISS should be used.
Other powerful approaches such as firewall traffic logging/monitoring, Sandboxing will still be useful and required.
Strong typing is one very powerful measure, but it must work in concert with other proven measures such as LL(1) parser construction.
There is a long line of programming languages which were designed with robustness in mind. It started with the ALGOL versions, created by some of the greatest minds of computer science: Hoare, Wirth, Dijkstra, Bauer and people of similar caliber.
Several successful mainframe computer product lines were using Algol as a systems and as an application programming language. ICL VME, Burroughs large, MCST.
As Algol68 turned out to be too complex, Wirth started to create smaller languages in the same spirit: Pascal, Modula, Oberon. Rust has found the spirit of these robust languages again and expanded strong typing to mulltithreading.
On the commercial side, the hamburger of programming languages, C, took over the world, as Unix was given away for free. Software Engineers and System admins now have to pray every day their brittle Unix or Windows systems (all coded in C) are not destroyed by some cyber Mafia or hostile Army.
C's lack of memory safety had catastrophic consequences (e.g. Maersk, Sony) and the language should therefore be retired as much as possible. Regardless whether some C developers have to learn a new language or whether corporations need to spend money on retraining. Cyber insecurity is much more expensive in many ways.
UNIX was "given away for free" in order to squeeze out of the market the much more robust and secure ALGOL Mainframes of ICL, Unisys and MCST.
See this, if you want more insight into the Algol machines:
...suggests we all should be happy to seriously reduce the number of errors and their severity. About 70% of exploitable Bugs are related to C memory unsafety effects. Buffer oberflow, use after free, double free etc.See the CVE database.
Your suggestion of "all or nothing" is counterproductive.
Why dont you shop with specialized Linux PC vendors in the first place ? Dell is probably subsidized by MSFT when they sell their machines. Dell cares about the 90% of the market, which is office PCs for businesspeople.
Here is a list of specalized Linux vendors:
Like "Cisco gear improved by NSA", eh ?
Schroeter will sell the entire ship to Wipro or Tata. The Indians will then claim that they lost the PIN to their internet banking app and cannot pay anyone in Europe or the US. As an emergency measure, all work will be moved to India. Then they will wait until all resources move somewhere else.
I once worked for an Ex Nokia manager as a developer. The guy did not really have a clue about the complexity of the work packages he built.
So experienced people woild be assigned trivial tasks while inexperienced engineers got tasks which should have been split in ten subtasks.
He would start a discussion about some issue and then basically tell you to shut up, because he did not like what he heard.
So, Nokia seems to be one of these places of Euro incompetence.
When your RPI is running, you can use it also to store+share files (ssh-scp does this very securely), serve web pages, run an XMPP chat server and many more things.
The internet was meant to be a large set of servers and NOT another mainframe under the control of a few greedy corporations with political agendas.
Google docs will simply delete your files if their political correctness/porn checker deems them offensive. No illegal content required whatsoever. Ergo: run your own server and help your friends to do so, too.
1.) get an RPI
2.) block all devices except the RPI at your DSL router
3.) install tinyproxy on the RPI
4.) blacklist all the tracker domains at tinyproxy (requires log reading in order to build a good list)
5.) configure all your devices to use SOCKS via tinyproxy
6.) Try to use non-google and non-FB services as much as possible. There are great search engines such as qwant (out of Paris) around.
Google still collects way more data than they need to. So does Facebook and quite a few more. They write a huge legalese letter in order to justify that.
You cannot remove the Google data collectors from your smartphone.
You cannot remove the shady keylogger/activity tracker (or whatever it is) from Windows 10.
In my book, GDPR only applies to those who dont have a large army of lawyers.
Biting the hand that feeds IT © 1998–2022