Skip to content

Update on Dieselgate emissions cheating, presentation at CCC Congress (33C3)


During the 33C3 annual CCC Congress in Hamburg I gave a presentation on the developments in Dieselgate over 2016 and the VW strategy in Europe.

You can watch the video (40min) and/or browse the slides.

Video of Daniel's talk

If you want to know why people laughed during Ijon's introduction of the talk ... click here. The video doesn't show this completely due to the camera being switched.

Dieselgate Emissions cheating presentation at CCC Congress (32C3)


Jake Edge of LWN wrote an excellent article on the presentation Felix and me gave at the 32C3 annual CCC congress in Hamburg, Germany on December 27th, 2015.

If you have an hour to spare, you can watch the video and/or browse the slides.

Video of Daniel and Felix' talk

Security by policy does not work


The laptop systems aboard the International Space Station (ISS) have been infected by computer viruses and worms multiple times. The W32.Gammima.AG virus made it to space in July 2008. And it happily spread from laptop to laptop onboard the ISS. The virus has been written to steal credentials for some common games. It is unknown how many of these were run in orbit. The latency would kill the experience for sure.

I am sure there have been policies in place to prevent astronauts carrying personal soft- and hardware up to the ISS. Personal items must be explicitly applied for and will only be approved after severe scrutiny of each item. Even beyond the obvious security considerations, this is necessary as the launch weight needs to be calculated exactly.
NASA and Roscosmos both have very strict policies for their personnel and strict training to make sure they know and follow policy. The group of astronauts primarily affected by the policy is very well known and counts a few dozen heads.

Still at least one infected USB stick made it up to the ISS and could spread its malware. Other infections have happened and we can assume similar infection vectors.

So the policy has proven unenforceable. It is broken. It is still correct per se. There is nothing wrong with prohibiting personal soft- and hardware in a high risk environment. So the policy stays in place. NASA still needed to make sure to rely much less on its effectiveness.

Hence NASA did the only sane thing: Move from an unenforceable policy to a technically feasible solution, significantly reducing the security exposure. In May 2013 NASA announced the ISS laptops are being migrated to Debian 6. Imagine how much pressure Microsoft must have put up to prevent such a technical decision due to the adverse marketing message it provides along the way. And still the engineers at NASA saw this as the best way forward.

The take-away message here is: Security by policy does not work.

Continue reading "Security by policy does not work"

The XY problem in IT management


Online community users know the XY problem:

A person has a problem X and tries to solve it with Y. He asks about help with Y online.
Often X has a straight forward solution which is not Y. But the person asking doesn't describe X.1

The term "XY problem" was implicitly coined when the Open Source philosopher Eric S. Raymond wrote his "How To Ask Questions The Smart Way" text and added "How can I use X to do Y?" to the "Questions Not To Ask" section.

ESR himself states in "How To Ask Questions The Smart Way":

Describe the problem's symptoms, not your guesses

It's not useful to tell hackers what you think is causing your problem. (If your diagnostic theories were such hot stuff, would you be consulting others for help?) So, make sure you're telling them the raw symptoms of what goes wrong, rather than your interpretations and theories. Let them do the interpretation and diagnosis. If you feel it's important to state your guess, clearly label it as such and describe why that answer isn't working for you.


Since the preceding point seems to be a tough one for many people to grasp, here's a phrase to remind you: "All diagnosticians are from Missouri." That US state's official motto is "Show me" (earned in 1899, when Congressman Willard D. Vandiver said "I come from a country that raises corn and cotton and cockleburs and Democrats, and frothy eloquence neither convinces nor satisfies me. I'm from Missouri. You've got to show me.") In diagnosticians' case, it's not a matter of skepticism, but rather a literal, functional need to see whatever is as close as possible to the same raw evidence that you see, rather than your surmises and summaries. Show us.

As online communities like IRC or forums are quite aware of the XY problem now, the people involved will often quickly focus on getting behind the issue presented. They will ask questions around the "why" do you want to do Y, what is the reason for you seeking help on Y etc. trying to uncover X.

They have been trained by numerous long winded discussions of why somebody would want to solve something as awkward as Y which slowly lead to uncover the unarticulated underlying problems X.2

  1. There are many alternate definitions for the XY problem available on PerlMonks. Some - like ESR - define Y to be the original problem and X the offered solution. I stuck with Greg Wooledge and John D. Porter and used X to be the underlying problem and Y the exposed question or request. That occurs more intuitively to me and seems to be the more frequent definition. As they don't change the message both nomenclatures are fine and time will tell which one prevails. 

  2. Greg "GreyCat" Wooledge has collected examples of the XY problem in IRC communities in his Wiki

Continue reading "The XY problem in IT management"