Memory Errors: 70% of CVE
See this http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf
Posts by fg_swe
1308 publicly visible posts • joined 20 Nov 2021
It's 2023 and memory overwrite bugs are not just a thing, they're still number one
Monday 3rd July 2023 12:04 GMT 
FALSE: Rust isn't the panacea
I have some experience creating http servers in both C++ and Sappeur. I can assure you the number of exceptions from memory safety in the Sappeur version is very small( "inline_cpp" 4).
http://gauss.ddnss.de/
There are about 60 "inline_cpp" in TCP.ai, System.ai and Math.ai, but those are "system libraries" which finally call the POSIX functions. These system libraries are supposed to be eventually "perfect" from a lot of re-use(read: debugging) in different projects.
So probably 90% of the gauss web server code is memory-safe. In my experience, this web server runs extremely stable(as compared to an equivalent C++ version). Of course it had deterministic crashes during development, but that is exactly what we want: immediate, localized crash upon programming error. No long-running, covert corruption of memory.
So, even if your code is "just 90% memory safe", it is a huge progress from "100% memory unsafe". Each and every method implemented in a memory-safe way is shoring up safety and security.
Monday 3rd July 2023 11:52 GMT
No
It is very hard/impossible to reproduce the safety assurances of a proper memory safe language in hardware mechanisms. Also, it is NOT just about separating code and data, as function pointers and vtables are effectively a mix of both.
ARM tries to do some of this with their fat pointers, but it looks very expensive to me.
For example, in Sappeur you must declare multithreaded objects as such, in order to ensure automatic locking. How would you do this in hardware ?
Monday 3rd July 2023 11:47 GMT
GC - NO
There exist quite a few non-GC (mark+sweep) languages, which are memory-safe.
Rust, Swift, Sappeur (mine) to name a few.
It must be said that the software engineer must break circular references in non-GC languages or you have a memory leak(which is usually NOT exploitable for subversion, but for a DOS attack)
Monday 3rd July 2023 11:43 GMT
Sir Tony Hoare on Index Errors
Listen to this
https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/
and you will see that Index Errors are an OPP (Old Persistent Problem). The FORTRAN people had this decades ago.
We have index errors in C, C++, Java, C# programs today, we must assume.
Software engineer's understanding of their own "perfection" is wrong. Homo Sapiens is not a machine, but a highly capable, error-prone being.
Machines should be tolerant against human mistake as much as possible. C and C++ are good for Code Generators, because machines will eventually be "perfect".
We were already much better with memory-safe ALGOL, but C+Unix won out for cheapness.
US cyber ambassador says China knows how to steal its way to dominance of cloud and AI
Friday 23rd June 2023 11:31 GMT
Nr 1 Right, Nr 2 Wrong
Indeed it is very dangerous to be dependent on a military-political adversary/enemy for your communications system. They can turn it off any time and only they have the expertise to turn it on again. Also they can and will use it as a spying and person-tracking system. A clear national security issue, given that the Chicoms can roam freely inside NATO.
Details regarding terminology here: https://www.bundeswehr.de/de/organisation/luftwaffe/team-luftwaffe-auf-uebung/rapid-pacific-teil-4-die-besuche
Mr Finck is wrong on AI machines, though: only trivial code can be properly coded by ChatGPT. All the tough problems still require meatsacks to do the heavy lifting. I asked ChatGPT to code an Enigma cipher machine and it failed spectacularly. Then there are AI controlled Tesla cars which crash into parked trucks...
Florida man insists he didn't violate the law by keeping Top Secret docs
Thursday 15th June 2023 07:01 GMT
B0ll0cks
Maddie de Garay is a case of severe adverse effects which has been systematically suppressed, in order to achieve a faux "successful trial".
It demonstrates that our (NATO+SK+JP+ANZAC) world is highly corrupt in the highest layers. That does not mean Moscow and Beijing are better. The light seems to shine in Africa, where they already resist the Drug Oligarchs - for good reasons.
Wednesday 14th June 2023 08:54 GMT
President And Classified Information
It is the job of the president to handle classified information in order to make proper decisions. He needs access to secret papers. Surely he should have been more careful and diligent. Is it part of your job to handle as much classified papers ?
Mr Trump must be held to the same standards as other presidents or secretaries, otherwise it stinks like a soviet political prosecution.
It looks like they are grasping for straws to avoid him running for president.
Wednesday 14th June 2023 08:21 GMT
They Have You For A Ride
Compared to what the Clintons did (Emailserver in the bathroom, open for foreign hacking, having sex with the intern, abusing several women, visiting Paedo Island),
Compared to what BIDEN is doing (collecting bribes from foreign sources through his son, covering up drug approval crimes),
this Trumpish behaviour is benign. A clear attempt to take out an inconvenient politician. He is held to the highest standards while his opposition is basically immune to anything.
This is going to backfire very badly. Unequal application of justice is a hallmark of tyrannies. Welcome to the Soviet States of America !
Cisco: Don't use 'blind spot' – and do use 'feed two birds with one scone'
Wednesday 10th May 2023 08:12 GMT
Boycott The Language Marxists-Nazis
We know what happens if you give in to these folks: https://en.wikipedia.org/wiki/Felix_Dzerzhinsky
First they come for your language, then for your freedom and finally for your life.
And no, it does not matter that they have teamed up with Big Business and Big Money. Actually, Marxism is a London Invention !
India bans open source messaging apps for security reasons. FOSS community says good luck
Of course Russia's ex-space boss doubts US set foot on the Moon
Tuesday 9th May 2023 11:55 GMT
Re: Wikipedia
Indeed. What is the "mil tech" of a journalist ? They actually all follow the expertise of their top, virus-phobic man.
They now have an entire cadre of these people and if BEZMENOV is to be believed, this has always been the main occupation of Moscow elite. And if you think about it, there is a certain elegance in messing without opponents mind instead of the hard work of weapons R+D and manufacturing. Also, it is the least deadly-risky form of warfare.
Tuesday 9th May 2023 10:55 GMT
Wikipedia
"Rogozin was born in Moscow to the family of a Soviet military scientist. He graduated from Moscow State University in 1986 with a degree in journalism, and in 1988 he graduated from the University of Marxism–Leninism under the Moscow City Committee of the CPSU with a degree in economics.[2]
His thesis on "Philosophy and Theory of Wars" earned him a Doctor of Philosophy while a Doctor of Technical Sciences was awarded him in the specialty "weapons theory, military-technical policy, weapons systems". Both were earned while he was professionally engaged in politics."
This sounds like he never build anything real, but prolly took part in the bullshit generation out of Piter. BS carried them a long time, but no longer. If only they could call it a day and focus again on BS instead of kinetics and cybernetics.
Tuesday 9th May 2023 10:49 GMT
Russian Farming
We must admit Putin did one thing right: now Russia is again one of the top grain producers, as they privatized the insane communist system to a large degree. During communism they had to beg their most powerful opponents for grain, now they are one of the largest exporters !
If only he could see his good work in economics and retire into sunset...
European companies form space jam to secure comms sovereignty with satellites
Monday 8th May 2023 13:06 GMT
Looking On the Globe And At Mr Breton
1.) Territory is even worse than thought
2.) Apparently french education is worse than thought: "Im Jahr 1979 erlangte Thierry Breton einen Master an der Supélec (École Supérieure d‘Éléctricité) in Elektrotechnik und Informatik und ist ein Absolvent des „Institut des hautes études de défense nationale“.[2]"
Looks like the Gallics still need German defence support ever since since Karl Martell, the frankish troop leader.
Monday 8th May 2023 12:25 GMT
Lower Levels: EGRETT Relays
Tactical high speed links could be provided by EGRETT relays using 100..10000Mhz links. EGRETT would be much harder to disable as they will operate at a standoff of 400kms from the frontline. Polar satellites will all fly over the north pole, where Russia can freely operate.
Monday 8th May 2023 07:47 GMT
General Staff Airborne Command Post - GESAC
+ Airbus A380
+HF radios
+VHF, UHF, Microwave radios
+Common European Cipher CEC
+manned by the top generals from Spain, Italy, France, Germany, Britain, Poland, Netherlands, Sweden and support officers from said nations
+operating as required, but only in takeoff-ready standby/training as long as no external threats existent
Monday 8th May 2023 07:14 GMT
Survivable High Bandwidth Communications Relay
The Grob EGRETT can fly at 16000 meters and provide e.g. a high speed microwave link from Berlin to Paris, London to Paris. Two EGRETTs would be needed for Madrid to Paris or from Rome to Berlin
https://en.wikipedia.org/wiki/Grob_G_520
As I wrote before, if only the muppets knew what they already have.
Monday 8th May 2023 07:03 GMT
Narrowband Communications Style
Of course leaders on all levels must accept and learn how to communicate with other leaders using text-chat-style interaction. HF radios cannot support video or even voice communication on a large scale, but this is not really necessary. C2 for huge operations was executed with shortwave, Morse telegrams in the past.
In terms of communications security, the less bits you need to transmit, the better.
Monday 8th May 2023 06:27 GMT
Better Approach: Shortwave Spread Spectrum Radios
Why:
+ a network of shortwave radio stations cannot be taken out easily, unlike satellites which are easy to spot and attacked by ASAT weapons like the SM3
+ low cost
+ spread spectrum is hard to locate and hard to jam
+ much smaller cybernetic attack surface
Rohde+Schwarz and Thales have spread spectrum shortwave radios readily available. If only the leaders knew what was at their disposal, instead of being fooled by commercial interests who want to live off the teat of state.
Also, given the Russian threat, there must be Common European Action. A centrally controlled air defence wargame, including all west European air forces acting as single power. No more Divide Et Impera by the Kremlin !
Telcos need another $3B in Uncle Sam's cash to remove Chinese network kit, says FCC
Monday 8th May 2023 11:53 GMT
Control of Development Engineers
Whoever controls the development engineers controls the number and quality of backdoors. Backdoors can be "explained" as programming errors. He also controls which security holes will be fixed, which not. He further controls whether a crashed system can be restarted or not.
The Americans are right, it is a serious threat and it just shows how childishly naive the Germans as a whole are. They can be so naive, because they know they can always call in Uncle Sam.
Monday 8th May 2023 11:47 GMT
Well
German politicians are dumb enough to let defence deteriorate to the point they must cry for Uncle Sam whenever Moscow or Ankara utters a threat. A case of childish pacifism, often nurtured by communist leanings.
They will first lecture and then panic. Less rationality than Kindergarten kids.
Modular finds its Mojo, a Python superset with C-level speed
Monday 8th May 2023 09:11 GMT
Generic Programming Using Standard Tools
Use a proper Macro Processor such as m4 to define generic code and then generate instances for different types. Here is an example of a generic Sappeur quicksort algorithm:
http://sappeur.ddnss.de/quickSort.ad.m4.txt
http://sappeur.ddnss.de/quickSort.ai.m4.txt
http://sappeur.ddnss.de/SortUnterstuetzer.ad.txt
http://sappeur.ddnss.de/SortUnterstuetzer.ai.txt
The C++ template system is mostly an unnecessarily complex/hard to debug macro system. The purpose seems to be to scare off newcomers with a load of hard-to-decipher error messages upon a single mistake.
So, get rid of templates, get rid of dynamic typing and employ a proper macro processor for generic code. Write the instantiated code on harddisk, so that the programmer can look at it.
Monday 8th May 2023 08:47 GMT
Static Typing: Safety, Security and Performance
Dynamic typing has been a Dangerous Thing since its beginning. It can be safely used for toy projects without real-world relevance. E.g. adding up the results of the local tennis club or the like. As soon as cybernetic attackers are a concern, do not use it !
Also, if you need performance, dynamic typing requires fancy optimizers, which are themselves security problems.
Essentially, dynamic typing is Fast Food Programming. Quick results at long term cost.
Here is my shot at strong typing and memory safety: http://sappeur.ddnss.de/
ChatGPT is coming for your jobs – the terrible ones, at least
Tuesday 4th April 2023 13:17 GMT
Been There, Done That
1% of population are farmers who feed 100%. If you add essential supplies for the farmers, it might be 3% of population who ensure the other 97% can do funny stuff such as arts, car production, traveling, music, administration, policing, firefighting, producing phones, being warriors, building weapons for wars that hopefully never happen and so on.
The Money System seems highly effective in motivating the 97% to work hard on their "superfluous" activities.
That description might be a bit crude, but you get the idea.
The REAL risk is that semi criminal entrepreneurs from the 97% will build+produce biologically dangerous things to get over their idleness. Cocaine, Heroine, unproven medical contraptions.
Tuesday 4th April 2023 10:02 GMT
Well
Customers expect 100% correct advice from the help system. ChatGPT will be 99% right and will emit false information 1% of time. So what is the value of an AI customer help system ? Maybe it can help your helpdeskers to find a clue and then confirm it by checking the documentation manually ?
Tuesday 4th April 2023 09:22 GMT
Euro-Trottel
This is how Italy ensures it continues to become poorer and poorer. Ban the new toys from America and keep your people in a state of backwardness. I guess this assures a supply of low skilled servants for the Italian elite, who will use a VPN to learn about ChatGPT.
Yes, ChatGPT will collect lots of data. So does Google, Facebook, Twitter, WhatsApp and so on. Never feed it with anything sensitive. Don't think it is your electronic counselor; find friends over a Cappucino !
Italians have the choice to use qwant, DeltaChat, GMX, hetzner, an RPI file+http server instead. GNUpg, courtesy of the German government to encrypt messages to be sent via the cr4ppy email servers.
Biting the hand that feeds IT
