Posts by Wilhelm Schickhardt

Re: Intel's new CEO check list

The big monies are in the server room and the gaming bedroom. Power consumption does not matter there. So don't hold your breath for Intel to ever make something power efficient.

Really Small, Really Economic

That would be the RPI 2. Good enough to

+ store your office files

+ store your code

+ run your personal web server

+ run an efficient discussion board (not PHPBB !)

+ run tinyproxy to filter out the tracker stuff

+ run an XMPP server for your self-controlled messenger

+ run the sn USENET server for your self-controlled discussion board

+ compile code using tinycc

It consumes 3Watts and costs less than 30 Euros once. Use ddnss as a dynDNS proxy service.

Re: They should rebrand themselves as Penelope...

Or maybe we simply stop listening to the progressive political madness. Thats another option.

Ren Zhengfei is the financier-entrepreneur behind Huawei. The man who got the state money to create the company.

For a long time, the UK nurtured the excellent ICL VME mainframe computers (now part of Fujitsu). As industrial policy has now become totally uncool, this very secure approach is left to die, it seems.

Now, what if an "IT Airbus" were set up to compete with the industrial policy of America (DARPA, DoD) and China (Huawei and all the other megacorps) ?

We have some great brands such as Nixdorf, Bull, ICL and Olivetti which could be rejuvenated. There are plenty of great technologies and alternative approaches to be pursued. Oberon, Occam, Transputers, Eiffel, CompCert, SeL4 and quite a few more.

The Chinese managed to stand up a group of financiers-entrepreneurs (such as Jack Ma and Zu Rengfei) out of a population of dirt-poor peasants, workers, soldiers and apparatchiks in a matter of 30 years. Europe could do the same, if we only woke up to the challenge...

Re: What's the definition of a cloud provider?

https://www.qwant.com/?q=list%20of%20european%20cloud%20companies&t=web

https://www.channele2e.com/channel-partners/csps/top-10-european-cloud-services-providers-csps-for-iaas-list/

Re: What's the definition of a cloud provider?

Hetzner qualifies, I agree.

Seems 1und1 offers billing per hour, too: https://www.ionos.de/cloud/cloud-server

Bingo

Europe is too much focused on regulation and not enough on CREATION. Most big companies in Europe date to the late 1800s, when there was a boom in the stock exchanges and when many new public stock companies were created.

Modern day euro politicians only know how to slice the cake and none of them knows how to bake a new one. They seem to not realize that innovation does not come from 100 year old corporations or by direct government action.

Airbus worked out quite nicely and it could work also for the world of computers, software and communication. If we only had politicians like Strauss, who could oversee the creation of something competitive and useful.

https://de.wikipedia.org/wiki/Franz_Josef_Strau%C3%9F

There would be plenty of opportunities in modern day computing, such as unhackable computers, privacy-respecting software/systems, sovereign computing and so on. But alas, modern day euro politicians are only strong on ego and otherwise mostly incompetent.

Defence ministers who never soldiered, health ministers who were bankers, teachers, lawyers.

Re: Litte Guy Data Sovereignty

You must have heavy workloads if you need more than one RPI 2 for your personal needs. If that is the case, run up to 10 RPI 3s in parallel behind your DSL Modem.

Just never run inefficient stuff such as phpbb or gcc on the RPI, that is not fun.

Re: Litte Guy Data Sovereignty

+ bittorrent for video sharing

+ IRC as a realtime discussion system

Wrong

The lack of variable and function parameter type checking is the main reason for the insecurity of real world PHP programs. The idea that programmers can be extremely lazy and do not even have to think about the type of variables has been proven insecure by PHP.

The fact that they have other hairraising stuff such as "all HTTP GET parameters become global PHP variables" does introduce further exploit opportunities.

Then they interpret any string as you "might" want to really have this done then and now. One more mad idea.

So - PHP is not type safe and its memory safety is superficial as they have no proper type system to speak of. Their other crazy ideas make matters worse, that is true.

Re: Rust is the future

The Linux kernel is now in the order of 10s of millions of lines of code. A single bug in this code will typically hand the attacker full control of the computer/embedded system.

This practice should be stopped and memory safe code should be used in the kernel as much as possible. Or the kernel should be as minimal as possible and also compartmentalized, like SeL4.

Rust-based kernels (which will of course include some unsafe sections) look like a very promising approach.

SeL4

You might have a look at this microkernel. It is actively developed and in use for security critical applications. Hensoldt (ex Airbus Germany Systems) continues development and provides commercial support.

In the last 10 years, the Americans (General Dynamics, DARPA and others) developed several projects based on SeL4.

https://hensoldt-cyber.com/wp-content/uploads/2020/05/seL4-whitepaper.pdf

SeL4 is proven to be memory safe, which was a big effort as it is coded in C. For example, a bug in the tcp stack does not open the entire system, but just the tcp stack. With Linux, Unix or Windows, a single kernel bug hands the crown jewels to the attacker.

Hensoldt now also uses Rust for application development.

Re: Security is a word

1.) Supply chain attacks happen then and now. But at probably 1000th the frequency of exploitable programming errors being discovered.

2.) Just because supply chain attacks (in this case the compiler) are possible, does NOT mean we can lay back and ignore the security problems that come from human programming errors.

3.) As your organizations systems-fortress should have multiple layers of defence; the firewall log analyzer/the security team should detect improper traffic which exfiltrates data.

Memory safe programs are one layer of security and arguably one of the most important ones.

Re: Security is a word

This is the point of the Rust language:

+ no undetected buffer index errors (underflows or overflows)

+ no use after free

+ no double free

+ no multithreaded data races

The rust compiler and the generated code will ensure this. C does NOTHING of the like. Man-coded programs typically have these bugs, even if the software engineer is a seasoned expert. That includes the Linux kernel and exploits in gethostbyname() and similar. HPUX ping of death and a plethora of C based exploits in the Windows kernel.

Regarding efficiency of Rust

+ stack allocation

+ destructors, RAII

+ value arrays

+soft realtime capable heap memory using refcounting

Java and C# are somewhat memory safe, but not as efficient and realtime capable as Rust.

Other Measures

To achieve cyber security, software engineers certainly need to apply other state of the art techniques such as properly defined interfaces (using EBNF) and semantic checks. All information flowing into a system from the outside must be thoroughly checked for syntax, grammar and semantic correctness. Any failure must lead to a rejection of the message. KISS should be used.

Other powerful approaches such as firewall traffic logging/monitoring, Sandboxing will still be useful and required.

Strong typing is one very powerful measure, but it must work in concert with other proven measures such as LL(1) parser construction.

Re: look at the daisy cutters

Read this for the consequences of Windows insecurity:

https://www.qwant.com/?q=Maersk%20cyber%20attack&t=web

https://www.qwant.com/?q=Sony%20cyber%20attack&t=web

Entire corporations had their entire intranets wiped out by powerful malware.

Lack Of Chefs

Means we should continue to only eat at McDonalds and Burger King, correct ?

We should ignore all the nasty effects of C memory bugs and continue to write easily exploitable software ?

Re: Success

You can already run high security applications on Redox OS. E.g. a database of users and passwords. A proper software engineer will be able to implement this without a complicated and bugprone RDBMS server written in the unsafe/insecure C language.

Re: Security is a word

Memory safety will neuter 70% of the CVE database exploits. You are mistaken.

Re: Security is a word

UNIX was "given away for free" in order to squeeze out of the market the much more robust and secure ALGOL Mainframes of ICL, Unisys and MCST.

See this, if you want more insight into the Algol machines:

https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/

https://www.bloorresearch.com/2020/08/when-is-a-mainframe-not-a-mainframe/

Rationality

...suggests we all should be happy to seriously reduce the number of errors and their severity. About 70% of exploitable Bugs are related to C memory unsafety effects. Buffer oberflow, use after free, double free etc.See the CVE database.

Your suggestion of "all or nothing" is counterproductive.

Re: How?

The short answer is: a German manager with big ego and little competence got his way. Like Helmut and the €.

It was a single guy who forced this to happen, despite the warnings of his own CFO. Dont blame it on the finance people here.

HP should go after this man instead of anybody else.

Re: Beans counters

See the comment+link about the HP CFO above. She seems to have been the sane one. Also see the other link about the affair and then draw your conclusions.

Re: The good news is...

You have ANY proof JetBrains enabled this ? Or is it just "guilt by association with an unproven claim" ?

Re: Bait And Switch ?

I heard Elon runs an entire Chrome browser in the middle console graphical controller. Fitting for a silicon valley car, I guess.

Re: TinyProxy

vim will run very nicely on the RPI, even over narrowband wireless links.

Re: TinyProxy

When your RPI is running, you can use it also to store+share files (ssh-scp does this very securely), serve web pages, run an XMPP chat server and many more things.

The internet was meant to be a large set of servers and NOT another mainframe under the control of a few greedy corporations with political agendas.

Google docs will simply delete your files if their political correctness/porn checker deems them offensive. No illegal content required whatsoever. Ergo: run your own server and help your friends to do so, too.

Alternatives

https://www.qwant.com/?q=list%20of%20open%20source%20messaging%20apps&t=web

https://www.gnu.org/software/messenger/

https://jami.net/ (very much feature complete, but no police ID required, unlike many others)

TinyProxy

1.) get an RPI

2.) block all devices except the RPI at your DSL router

3.) install tinyproxy on the RPI

4.) blacklist all the tracker domains at tinyproxy (requires log reading in order to build a good list)

5.) configure all your devices to use SOCKS via tinyproxy

6.) Try to use non-google and non-FB services as much as possible. There are great search engines such as qwant (out of Paris) around.

Wrong

There are plenty of *truly* GDPR compliant FOSS systems out there. Like LibreOffice - they dont want to force your data on American servers like MSFT, Google and AAPL do.

Re: But hey, $2bn, I get it. That buys you a lot of morals, apparently.

Too much money leads most people down the cocaine path. So, maybe it is a blessing you did not get that much money.

Re: Really ?

Google still collects way more data than they need to. So does Facebook and quite a few more. They write a huge legalese letter in order to justify that.

You cannot remove the Google data collectors from your smartphone.

You cannot remove the shady keylogger/activity tracker (or whatever it is) from Windows 10.

In my book, GDPR only applies to those who dont have a large army of lawyers.