* Posts by UdoGoetz

48 publicly visible posts • joined 6 Jul 2021

Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier than it should be

UdoGoetz

Yeah "Recommendation"

"we recommned you pay us, or your nice pizzeria will no longer be protected by us. Also, your school children will not be protected either".

UdoGoetz

More Fixes

+ Raspberry PI, which is by now more than good enough for libreoffice, for personal webserving, SVN server, personal file server etc. Also for light WWW surfing.

+ Fujtsu Servers based on SPARC are a powerful alternative to Intel and their ME backdoor. https://www.fujitsu.com/us/products/computing/servers/unix/sparc/

+IBM Power https://en.wikipedia.org/wiki/IBM_Power_Systems

+ ARM

https://www.gigabyte.com/Enterprise/Rack-Server/R152-P30-rev-100

https://www.asacomputers.com/ampere-altra-arm.html

https://www.solid-run.com/arm-servers-networking-platforms/honeycomb-servers-workstation/#overview

We must actively use, buy or influence the buying of alternatives to the Wintel monopoly.

UdoGoetz

Re: Well well well, who would have guessed.

Please don't freak out, there have always been options to buy well-supported Linux machines. The more we buy from these vendors, the stronger they will be when we need them. Just don't expect to get a cheap communist Laptop without shackles.

See my other post.

(I admit to having bought communist computers in the past, but I will defintely not do this again)

What to do about inherent security flaws in critical infrastructure?

UdoGoetz

Re: Auto ECUs / Crypto

Note that even with code signing, a complete swap-out of the brake/ESP control unit is probably possible in most cars today. The "hostile" brake control unit could have a radio receiver function for "disable brake".

In this movie plot, a car could "fly out of the curve" after receiving the signal from the baddies.

Again, who needs to kill somebody covertly ? And will the police not find the modified ECU ?

UdoGoetz

Auto ECUs / Crypto

Automotive ECUs do have signed software update mechanisms and further security mechanisms.

Nevertheless, most CAN traffic is not authenticated these days (except for some special signals). An attacker could splice a hostile control unit into a CAN bus in order to mess with the signals.

Is it a problem ? Probably not, as the attacker could in this case simply mount a remote controlled handgrenade into the car and have the same bang for lesser bucks.

The car makers use crypto in order to protect their investment and make modifications harder.

Of course, without code signing, you could have the movie-plot idea of stealth, hostile code in the brake ECU doing seriously nasty stuff. Without the police putting the ECU under the microscope later. Realistic ?

Finally, authenticating all CAN messages would easily require 3x the bandwidth (can message is 64 bit, but authentication would require something like additional 64+128 bit) . Higher BW would probably require much more expensive wiring/cabling, which is why it is only done for special messages while 99% of CAN messages are not protected.

UdoGoetz

Or

..I will walk out of my village to the next well and obtain fresh water. If necessary, I will cook it on the camping cooker or on a set of three candles.

There are simple low tech solutions for high tech issues.

UdoGoetz

"Zero Trust" Inside Plant, Intranet

Of course one cannot assume that a refinery(or similar sized plants) with thousands of employees is totally free of bad apples. Compartmentalize the plant with physical access locks, have plenty of cameras and most importantly, have a plant-internal intel+security service which will find out funny stuff.

Run your employees through government intel databases to weed out the obvious criminals. Liaise with government on threats against your plant.

Never assume an "intranet computer" is always friendly.

All of these security measures require seasoned IT and security experts, it requires documentation and maintenance of the various measures. It requires managers who know what they are doing. And it requires a budget, something the beancounters obviously hate.

UdoGoetz

Security Cr4ze

In the automotive world, CANbus is by default plaintext and not authenticated. If an attacker has access to your car's wiring, he can do a lot of damage.

BUT - the attacker could likewise cut your brake piping, damage the brakeplates, losen the screws of your wheels etc. According to some horrible DDR stories, the Stasi did exactly this in order to punish dissidents.

The "fix" to such issues is to

A) have proper physical security around your car and in/around your industrial plant. Everything from intel/security service, police down to plant security personnel. Dangerous people are kept away from your car by capable security experts(the real 007s) of your government.

B) Hide such bus systems from the outside world by means of PROPER firewalls. If remote access is needed, use SSH, stunnel, TLS, secure IP tunneling, SE Linux, seL4 etc. This will cost some money to set up.

All this handwringing revolves around the idea that everything must be secure without any additional cost, except for "patching".

Finally, Iran has a serious internal intelligence+security failure, which allowed enemy spies to physically access their PLC networks. I fail to see how more ciphering of PLCs would have saved them from this threat. Iran state security is weak, that is the core problem.

Farewell to two pivotal figures: The founder of Inmos, and the co-creator of MIME

UdoGoetz

What A Shame

The transputer could have been the backbone of a lot of advanced european technology.

See this

https://www.youtube.com/watch?v=I39sxwYKlEE

Instead Ms Thatcher, Mr Mitterand and Mr Kohl wasted time and energy on petty, outdated quarrels.

Taiwan bans exports of chips faster than 25MHz to Russia, Belarus

UdoGoetz

Re: Sans The Snark

I do think you do not know the Russian soul and their patriotism. The average russian is not a globalist and they will stay loyal to Russia even if the current ruler is a bit nutterish.

The backbone of Russia are KGB and army officers who know how to motivate, improvise and organise. They also know how to bring the brightest people at one place to develop something great. They are also realists who would call off a costly war, because they are also students of history, economics, hard science and social sciences.

The current problem is the corruption and mediocrity at the top. The BMW-iphone-superyacht set.

UdoGoetz

Re: Quality vs Quantity

All of Europe is quickly approaching the end of our nations, culture and statehood, as we have, on average, too few babies.

America and the woke/drug/moneyfication lunacy is in the same lot, as they are essentially a european nation, too.

UdoGoetz

Re: Quality vs Quantity

https://en.wikipedia.org/wiki/Nikolai_Dmitriyevich_Kuznetsov

https://en.wikipedia.org/wiki/Kuznetsov_NK-93#Performance

https://en.wikipedia.org/wiki/NK-33

https://en.wikipedia.org/wiki/RD-180

(According to wiki the RD180 was not directly designed by Kusnetzov, but strongly influenced)

https://en.wikipedia.org/wiki/Vladimir_Kotelnikov

https://en.wikipedia.org/wiki/Nyquist%E2%80%93Shannon_sampling_theorem

Now imagine how we could work with them to make Airbus even better, if only we could find a way to go along without shooting and the little KGB antics...

UdoGoetz

Quality vs Quantity

Russia is more powerful than Bangla Desh because they have some outstanding well educated and experienced officers(of all branches of service), engineers, scientists, artists, musicians.

For example, General Kusnetzov, who designed and built a large rocket engine in the 60s, which is top notch even by todays standards. Americans chose to buy and use this engine. Or Mr Kotelnikov, who apparently did the same theoretical work as Mr Shannon in signal sampling theory.

Nevertheless, they have too few babies and a problem with corruption and (I assume) their national soul. But this can be said about almost all european nations.

We should really heal the soul instead of burning the youth in wars...

UdoGoetz

Typo

Yes, indeed, the ELBRUS clocks at about 1.5Gigaherz.

http://www.mcst.ru/

A bit of autotranslation will give you much more info.

UdoGoetz

Addendum

It must be said that wasting soldiers and officers is not new to the Russians. They did this 41-45 in enormous numbers. Stalin also murdered virtually his entire general officer corps, which certainly aided Germany to a great degree. But they had America on their side, plus the spirit of defending the rodina. Now they have none of this, just a notorious professional liar without principles at the helm.

Professional lying, deceiving and br4infucking seems to be their core competence (their leader comes from this sector of intel work), while everything else is on soviet or even much worse levels. For example, communications security is at 1910, battle of Tannenberg level. Plain text between general officers. No money for even primitive ciphers, because they need to show off the 150m yachts.

UdoGoetz

Sans The Snark

The Moscovites have the ELBRUS CPU, which is a 64 bit, 1.5MHz VLIW processor. It is completely homegrown, including the C++ compiler. Its the brain of the high SAMs they have. Other applications I can only guess, such as aerospace, marine and the T14 tank, which needs powerful sensor processors.

I benchmarked it and found it as fast as a RPI4, without using the parallel processing.

They have a fab in Zelenograd which apparently can do 65nm chips.

Can it be used for banking ? Surely, if they get rid of the Java Bloat and apply their brains to the problem instead of the Intel-SUN Fat.

How will this work out economically and militarily ?

Surely it will degrade their high end processing and AI* capabilities as compared to those who have access to TSMC and Samsung.

Now is the time for Russian intelligence to show what they can. So far we have seen mostly corruption, incompetence and hybris. Compensated by wasting soldiers and officers. They would be very wise to end this war and recognize their grave mistake.

* a very real thing, as the HAROP drone proved in Armenia recently.

UK's largest union to Arm: Freeze job cuts now

UdoGoetz

DJT

Mr Trump tried to reverse this, but see what happened to him. Look who attacked him.

UdoGoetz

Must read

"root access and full control for the owner"

UdoGoetz

Of Course

Creating a european competitor to IPhone and Android requires a very smart strategy and a certain amount of capital.

BUT - remember that we once were leaders in mobile phones through Nokia. We were leaders in developing the (then) state of the art digital phone standard GSM !

We have all the pieces required:

+Qt as the GUI

+Linux or FreeBSD as OS

+ARM CPU

+Canonicals Ubuntu Touch

+Olimex

+ublox creating modems and GNSS receivers

+seL4 high security microkernel

So - the pieces must be put together and a bit of polish applied. Probably start with a chinese HW platform and just port the software initially. In Generation 3 we could switch to hardware made in Bulgaria, for example.

Unique Value Proposition: Root Access for Everybody and No Spyware Whatsoever. Neither Apple nor Google can deliver that.

Of course we would need some sort of "IT-Airbus" to tie this together, do the marketing, sales, logistics, coordination and of course finance.

Chip world's major suppliers of neon gas shut down by Ukraine invasion – report

UdoGoetz

Still Luxury Problem

All the fertilizer chemicals we need for our farmers is already inside the system. We just need to collect the chemicals and bring them again onto the land. Nitrogen comes from the air using Haber-Bosch.

Flushing important chemicals down the pipe is the main issue.

UdoGoetz

Even Worse

Siemens once found out that they need certain Impurities in a certain chemical used for semiconductor production. So changing the supplier can disrupt operations, even if the new supplier produces a chemical at better purity !

China's top tech city Shenzhen locks down completely for at least a week

UdoGoetz

Oligarchy

The close collaboration of NATO Oligarchy (Gates to Bezos) with China surely had a very nasty effect in several dimensions. Time to regain national sovereignty in technology and in matters of health. Spinning the money wheel is not the same as proper public health policy.

UdoGoetz

Re: 5 Year Review

He just does not want to trade freedom against maximum security+oligarch profit.

Not a baaa-d idea: Embracing the eunuch lifestyle slows ageing – for sheep anyway

UdoGoetz

Re: Clarkson's Farm

You go first and we have at least one problem less.

UdoGoetz

$$$

All of these mutilations of healthy bodies make a nice profit for the Medical Industrial Complex.

IBM insiders say CEO Arvind Krishna downplayed impact of email troubles, asked for a week to sort things out

UdoGoetz

Re: Free of customers?

Well, it seems most IT clients have figured they can go directly to Tata, EPAM, IBA, Wipro and Infosys. They dont need to splice IBM or HP in between them and the low cost engineers.

Or they go to Google, Amazon, 1&1, Hetzner and MSFT for cloudy stuff.

And if something is mission critical, there are specialist development consultancies around, with much better engineers than you can ever get from the "computer" companies.

IBM can by now only attract expensive sales reps and cheap engineers.

UdoGoetz

Bingo

Once had to install their DB/2 ODBC connector. I only got it done with the assistance of an IBM customer engineer.

Oracle, MySQL, MSSQL I could easily get done myself using the installer plus a bit of reading,

UdoGoetz

Re: Heads will roll...

Resource Decapitation ?

UdoGoetz

Re: Memories, and not good ones.

I can second this description of Notes. A hairball of bad ergonomics, dysfunction and bugs. Saw this in two companies.

UdoGoetz

Or

They should simply nuke the notes stuff (which apparently never anywhere worked properly) and call in their redhat team to set up qmail.

I bet email would then work perfectly.

But I doubt there is any competent decisionmaker left at IBM to make this call.

UdoGoetz

Re: "due to a lack of resources"

That is totally never and fully impossible. Problems are always blamed on a wageslave these days. I guess the senior wageslave in charge of the notes cluster contracted COVID19 from his dog in homeoffice. That must be it.

UdoGoetz

Re: I read instead that IBM employee are like kids making shoes for a living...

IBMers can no longer afford shoes ? Yeah, makes sense.

UdoGoetz

Maybe they can all create a gmail account like:

John.Akers.ibmguy@gmail.com

Google is the new IBM. They are actually able to run mainframe-class systems, because they employ plenty of old white greybeards.

UdoGoetz

Senior Truth

From a certain level in the pyramid of power you are allowed to new levels of truthiness. Actually benign as compared to "WMD".

Age discrimination case against IBM leaks emails, docs via bad redaction

UdoGoetz

Whoever is talented and still with IBM should try to jump ship ASAP.

UdoGoetz

Re: The old tricks

There are some companies around who value "old age", highly skilled engineers. I know of one search engine behemoth who does.

IBM shoots itself in both of their feet by laying off their highly experienced talent.

It seems they want to go to die and a fully young staff will facilitate corporate death.

Latest patches show Rust for Linux project making great strides towards the kernel

UdoGoetz

Re: 70% of CVE Exploits Are Related To Lacking Memory Safety / Not Sufficient

I always compile with

g++ -Wall ...

And I will fix any warning before I proceed to perform developer tests.

But this does not mean g++ will tell me all the memory safety issues that rustc would tell me in equivalent code. It simply is impossible for a C++ compiler to detect the same types of bugs as a Rust compiler can find. This follows from the language specifications.

Maybe by 2025 the C++ folks have added the same memory safety mechanisms as Rust in their language spec, then you might have a point then.

UdoGoetz

Re: dis-un-de-throne C in the Linux kernel?! / FALSE

There have been quite a few non-C based operating systems, some of which are arguably safer than Unixoids/Windows, because they use bounds checking inside the kernel.

Here is a small list of them:

https://en.wikipedia.org/wiki/Burroughs_large_systems

https://en.m.wikipedia.org/wiki/ICL_2900_Series

https://en.wikipedia.org/wiki/Singularity_(operating_system)

https://en.wikipedia.org/wiki/HP_Multi-Programming_Executive

Finally, a Rust-based OS, which already works in a prototypical fashion:

https://www.redox-os.org/

UdoGoetz

Re: C++

In my experience with memory safe languages, bounds checks cost about 10% more CPU Runtime. Modern CPUs seem to perform the bounds check and the access "virtually" in parallel (speculative execution).

It is time to admit humans are NOT perfect "code generators". If we can mitigate the effects of our imperfect work, that is very good in my opinion.

UdoGoetz

Yeah FUD

So if Google wants to do something against the obvious security risks of the Linux kernel, you come here shouting and changing the subject to ChromeOS.

Maybe you just learn something new and better than what you already know ?

Or maybe you listen to Sir Tony Hoare and what he has to say about memory safety.

UdoGoetz

Multithreaded Memory Safety in C++ ?

Is there anything of this kind ?

Also, how do you enfore the use of RAII, Smart Pointers and error checked arrays in C++ ?

There are bandaids such as PC Lint, but they cannot look far and deep, unlike Rust.

UdoGoetz

C++

C++ has exactly the same problems as C, if used naively. For example, std::vector::operator[] is not bounds checked. If you dont use RAII, heap errors are almost preprogrammed.

Most importantly, C++ has no multithread-safe memory concept whatsoever. Best of luck debugging multithreaded memory errors.

UdoGoetz

Misrepresentation

You make it look as if the only problems of C are related to strings. This is just a subset of all memory safety errors which occur in practice. All C arrays potentially suffer from index errors. All C heap memory suffers from use after free, double frees and unitialized pointers. Have a look at the CVE database to get real world data.

The people who wrote the HPUX ping of death bug were most likely seasoned developers, not rookies.

Same goes for the many bugs in Windows, in Adobe flash and PDF, in TrueType, Unix utilities and hundreds of thousands of other places. The first time Unix userland utils were run using valgrind, there were loads of memory errors detected.

UdoGoetz

Re: Another language?

Your cute "small" language C has created an enormous amount of exploitable bugs. The Linux guys seem to attempt a gradual conversion to Rust.

It definitely makes sense given the history of bugs in the Linux (and many other C-programmed) kernels.

Will it work out ? We will see.

There are some highly interesting kernels such as seL4 around and they also use Rust for their higher level/application parts.

UdoGoetz

Re: Next to learn

Start small, incrementally grow bigger over time. As always with something new. Rust does catch more race conditions than Go.

UdoGoetz

"C was once a modern language"

I am not sure this is correct. When C was created, there was apparently already a bounds-checked version of Algol around.

Also see this https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/

UdoGoetz

70% of CVE Exploits Are Related To Lacking Memory Safety

https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/

https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/

Using C and C++ is like not using an ABS brake, "because I know how to properly brake".

Sing a song of Office, a pocketful of why: ARM64 version running in a Pi

UdoGoetz

LibreOffice

...works very nicely on even RPI 2