MauriceK writes about security in the ZETA operating system. Apparently magnussoft, sole distributor of ZETA, makes security claims [on the German version] that with ZETA “it is not possible to examine a system from the outside without notifying the user due to the architecture of this software.” MauriceK seems to think differently, and even gives examples on how code can be executed without the user’s knowledge in ZETA. In related news, BeUnited is no more. Instant update: the discussion concerning security just made its appearance on the Haiku m-l.
So… will February be the “Month of ZETA Bugs”?
Bring it on! I want a month of Zeta bugs!
I believe that would be MOZB…
And next week, Symantec will try to sell its softwares to Zeta users. =)
What? To both of them?
You insensitive clod!!
There’s seven of us now.
“What? To both of them?”
I, am Spartacus! ;o)
I presume it’s been endlessly pointed out in the past that “security through obscurity” is a double-edged phrase?
Zeta and BeOS were never that secure. It was not developed as a secure OS and the engineers never paid any attention to security in any major way. In fact, I still remember the BeOSTipsServer site that ran on a BeOS web server how it was hacked within 20 minutes after a bet. Magnusoft doesn’t know what they are talking about.
I think that you are right.
But Zeta (as well as BeOS) is an OS where all ports are closed after the installation. If I do not start any server (e.g a ssh or a telnet server) and if I do not install any piece of software from “alien” software repositories, why should this Zeta be “unsecure”?
O.k., there are other factors like an outdated Firefox browser or a few old graphics libraries (libtiff, libpng).
But how realistic are Maurice K’s scenarios? How could a cracker break into Zeta without the user’s interaction or “help”?
But Zeta (as well as BeOS) is an OS where all ports are closed after the installation.
That doesn’t make it secure. In fact, much depends on what you mean by “closed”. Closed ports simply mean that there are no applications listening on a port, though they could open at any time. Open means that an application is listening on a port for connections or packets. Any OS that ships without active services listening for incoming connections have all ports closed by default. That does not mean they are secure. Of course, using a firewal helps inasmuch as it slows down port scans (your ports are not simply “closed,” but filtered, which means that port scanners cannot determine their state), but port scans are looking for vulnerable applications running on open ports.
If I do not start any server (e.g a ssh or a telnet server) and if I do not install any piece of software from “alien” software repositories, why should this Zeta be “unsecure”?
O.k., there are other factors like an outdated Firefox browser or a few old graphics libraries (libtiff, libpng).
But how realistic are Maurice K’s scenarios? How could a cracker break into Zeta without the user’s interaction or “help”?
They are very realistic. User’s help or interaction: the difference might be huge, depending on what you mean by these terms. Firefox is more secure than IE 6.x b/c it warns if something nasty tries to find its way to your computer. Disregarding these warnings is actively helping the cracker. However, we constantly interact with our computer, and what Maurice proves is that by mere interaction (not actively disregarding warnings) a cracker can break _easily_ into Zeta. From what I gather from this post is that Zeta’s security is on par with Win98.
Edited 2007-01-06 14:39
BeOS security was a step ahead of the other desktop competition when Microsoft has shipping a Win9x kernel and Apple was shipping System 8, but that was a decade ago. The only major thing that BeOS R5 had over those OSs was protected memory. Otherwise, it was a single-user system with no permissions checking to speak of. Quite a far cry from either the NT, BSD, or Linux kernels…
Edited 2007-01-05 23:01
dude, Windows 95 has/had protected Memory. and I dare say it did a better job of it than BeOS ever did. And this is coming from a (ex)BeOS lover.
Win9x had a 1GB shared area (world readable/writable) in which it mapped critical system DLLs and memory-mapped files. AFAIK, BeOS never did anything this blatently insecure.
No, but BeOSs memory protection was just as shitty. I don’t know all the details, but I know a BeOS coder that told me and showed me several very easy ways of mucking with another programs memory space and crashing it and the whole OS.
anyways, windows 9x is mostly dead and hopefully haiku will address a lot of these issues.
Eugenia wrote:
-“Zeta and BeOS were never that secure. It was not developed as a secure OS and the engineers never paid any attention to security in any major way.”
of course not, security was not exactly a major focus in desktop os’es back then. nor was the internet as hostile.
Zeta builds on the Dano code iirc, so unless they’ve made alot of security oriented changes it is likely just as (un)safe as Beos was.
that said, the statement was –“it is not possible to examine a system from the outside without notifying the user due to the architecture of this software.” all the examples from MauriceK where of abuses from the inside, in other words, it requires user action, like executing a malicious program. if he had shown examples that remotely connected and executed code on a zeta machine then it would have made some sense in this context.
the statement was -“it is not possible to examine a system from the outside without notifying the user due to the architecture of this software.” all the examples from MauriceK where of abuses from the inside, in other words, it requires user action, like executing a malicious program. if he had shown examples that remotely connected and executed code on a zeta machine then it would have made some sense in this context.
The vast majority of security issues with WinXP is due to attacks from the inside, malicious code that found its way to your hard-drive. The statement Maurice set out to debunk is completely bogus. You can make the same claim of any OS, including win98 … until you ran an application that has remote code execution vulnerability. Or what about portscans – you can use use nmap to scan a Zeta machine, which surely qualifies as an examination from the outside )) But jokes aside, what Maurice shows is that due to the “architecture of this software,” it is very very easy to hide malicious software on the system without the user having any chance to notice them. Of course this depends on user-interaction, and once the code is on your puter, it qualifies as an “inside” attack vector, but still, the original statement is false (as in meaningless), and its only purpose is to lull users into a false sense of security.
Ya, well they also claim that Zeta is a complete desktop replacement. We all know that isn’t true either.
I think Zeta is a experimental or toy project like Mimix. These kind of OSes are exempted from common issues surrounding mainstream OSes.
Before anyone jumps in and declares that $OS_OF_CHOICE is ultimately secure, let me say this: there is no ultimate security, at least outside the scope of proven correct software (which means for probably everyone reading this website except 15 people: nothing on your hard drive).
Multiuser? File permissions? Firewall? Encryption? Signed software? History shows that all of these measures were circumvented in the past and there is nothing that leads me to believe that this won’t change.
The easiest way to gain access has always been social engineering anyway, and that has already happened long before computers and software (remember what the original Trojan horse was). And that is something no technology can protect you from: there is no way your OS can tell if the program you just double-clicked it only doing what you think it does or a bit more than just that.
“And that is something no technology can protect you from: there is no way your OS can tell if the program you just double-clicked is only doing what you think it does or a bit more than just that.”
If you take the view that something is impossible, just because no one has ever done it before, you have lost the fight before you even started it. If, however, you “think outside the box”, I am almost certain a 100% tamper-proof, hack-proof, virus-proof, and malware-proof OS *can* be designed.
When the particular OS I’m watching gets to a stage where it is “independant”, I plan to try and design such an OS, with the help of those willing to believe that “impossible” is simply “possible” that hasn’t been tried yet, and can “think different”…
“If, however, you “think outside the box”, I am almost certain a 100% tamper-proof, hack-proof, virus-proof, and malware-proof OS *can* be designed. ”
Is that like the car that can never crash? Or the stove that never burns your food?
Nothing is 100% proof, if you think that is possible you’re beyond help. Honestly.
However, it IS possible, although extremely tedious and in no way foolproof, to prevent applications from touching files they shouldn’t touch. On OpeBSD it’s called systrace but I can’t remember what it’s called on other *nixes.
The problem is, how do you know what files an application is supposed to be able to access? Trust that the developer provide you with an accurate list? Use a list from a (more or less) random website? Go to the tedious work of creating it yourself?
As always, security is a tradeoff versus convenience and excessively prompting the user for file access isn’t going to make the user happy or productive.
You’re NOT “thinking outside the box”, Soulbender! You see what exists and what can be extrapolated from what exists and you assume all must follow that course.
I, on the other hand, see things from a different perspective. Not confined by the thought of, “This is ‘what is’ and this is what can be done with ‘what is’… and nothing else exists outside of that!” I think in the realm of “Let’s make a system more secure by applying rules and ideas that people haven’t tried yet!”.
The only ‘what is’ I’ll be using, is the OS itself. I’ll be manipulating ‘what is’ by using ‘what isn’t’.
Just remember… cars weren’t invented by people who only thought the horse and buggy was as fast as you could go. The moon was never visited by people who thought you couldn’t get there. Apple wasn’t saved by someone who thought the “status quo” was “good enough”.
Apple is where they are, today, because one man CAN make a difference… if you just… “think different”.
I hope to be able to do likewise… if I can just find a few like-minded individuals willing to push the envelope and do things a little differently than ever before… even if it seems unconventional, silly, or just plain crazy. And especially, if it’s believed… “it will never work”.
…the “article”, which reads:
Comments are disabled.
they know why.
The comments are here:
http://www.zeta-os.com/cms/plugins/forum/forum_viewtopic.php?3727
I thought the subject raised on the haiku mailing list was much more interesting:
There’s nothing to prevent a user from running a malicious application which wrecks their home directory.
When this question is raised it is never taken seriously, why?
It is not taken seriously because the home directory will likely become ‘roaming’ or otherwise protected with the inclusion of multiple user support. At that time ( Hailu R2, maybe ) some greater concern for ‘malicious attack prevention’ will surface. And then, it will mostly be handled through the code that provides the means to switch users, or in the kernel.
Currently, the only guarantee you have on BeOS is that there WILL be a /home directory. It doesn’t mean the contents are safe ( in fact you can delete /home and watch it magically re-appear so fast it’ll make your head-spin).
Fun, huh?
–The loon
“When this question is raised it is never taken seriously, why?”
Because it is what backups are for and it has nothing to do with *security*.
It’s like saying “I want a hammer that won’t let me destroy stuff in my home…unless I actually want to destroy stuff in my home”.
Because it is what backups are for and it has nothing to do with *security*.
It’s like saying “I want a hammer that won’t let me destroy stuff in my home…unless I actually want to destroy stuff in my home”.
This is a very bad analogy, a hammer isn’t likely to go round the house and destroy stuff of it’s own accord. I have to physically pick up the hammer and do the damage myself.
On a computer the “hammer” can do it all itself without any user intervention. What’s more, the hammer can pretend to be a pretty picture hanging on the wall, so you don’t even know it is a hammer.
The problem is any file in my home directory can do whatever it likes. It should be the other way around, it should only be able to mess around with other files if I say so.
When this question is raised it is never taken seriously, why?
It is taken seriously, but there are no easy solutions. It was somewhat amusing to see how Zenja Solana’s proposal begins with a bold note:
Protection #2 (prevent application from destroying files) actually has a very simple solution which no OS really uses, which is quite puzzling…
… only to fall apart towards the end. See how the restrict writing to only the apps’ directory quickly become restrict writing to apps directory… and oh, the config directory… and oh yeah, the file directory as well. And if you think of this last one, this works only if there is a “hardcoded” place for each filetype, plus there is only one application for each file type (just think of it!). In other words, the only way of protecting important data is to backup them regularly — there is no easy way to protect user directories without seriously limiting the system’s flexibility.
On the other hand, one should not downplay the importance of a multi-user system, like the above post does. Just one example: I run apache on machine, under user:group www:www. Now if a remote attacker founds an exploit in the code of my website, it can probably get access to my system. Actually, I got haXored once this way (and it was my fault, didn’t update geeklog for months, even though there were known security vulnerabilities). What happened is that the attacker gained access to files that belonged to www:www, and could write to places where www:www could. Which means, that all my data files in my home directory were safe (because the remote code execution vulnerability would have to be combined with a local privilege escalation vulnerability in apache itself, and the two happening at the same time has a ridiculously low chance). Where I using Zeta, the attacker would have complete access to all my files. That’s a significant flaw in Zeta’s design.
So, to sum up: the question you refer to is being taken seriously, but the solution is not trivial (it is trivial, but that would mean the end of control over you computer). In the meantime, real security issues (non-encrypted central contact list storage??? – how easy is to solve that for god’s sake?) that can be solved and were solved in every other OS should be taken care of, instead of downplaying their importance or impact.
Magnussoft$(Bernd),
it seems that the news on the security of the Zeta OS should only generate sales for their OS!
WARRNING! ZETA OS is not secure!
Haiku has the same problems but it does not claim to be secure. Haiku is first of all reconstructing R5, with modifications and improvements, but nevertheless. And you can be sure that the Haiku team will not sell the OS for a lot of money and with some false promises.
MFG Stargater
Believe me, it is secure… who will bother to hack it?
That’s a point afterall. Even at the height of BeOS’s popularity, I can’t recall ever hearing of a BeOS virus.
One virus, which was made incompatible with the introduction of in-kernel networking ( BONE ).
Zeta uses a fixed-up revision BONE from all appearances, which was more secured. BONE is basically a source-less port if the BSD networking stack, which is known to be more or less secured by design.
The net_server BeOS revisions had a fatal flaw that was so easy to exploit, you would find yourself experiencing the side-effects after a lot of perfectly safe and normal network traffic. No hacking needed.. just ping a few hundred times to rid a dial-upped system, sending larger-sized packets for higher-end connections.
BONE, on the other hand, was never finished by Be, INC, and likely never had a security audit.. in fact I find this highly likely considering any BONE system can be ftp’d into and the user/pass of baron used to get in with full, un-monitor-ablem access. You could delete every file in every drive of the system, as the ftp root was the kernel’s virtual root ‘/.’
Of course, Zeta should ship with all services off. Doing such could create a pretty secure system, and the internal methods for setting up those services for the network is surprisingly system-handled.
Basically, to start a network service on BONE, you would change the settings in a file, then send an alert to the kernel (through inetd?), the kernel would then process the file, obliging to the on/off settings (likely) without regard to who set them. However, in its ‘released’ state ( the latest Be BONE known, which is in Dano and early Zeta OS versions ), BONE would restart networking to have the file reloaded.
Restarting the networking stack to change a service is no biggy at all, unless your trying to hack the system and spent a couple hours getting into the system, and no find yourself completely out again because the network card was just shut off and back on, and the system may have even leased a new IP address ( either local or public ). That certainly adds in ‘security’ where other systems don’t even try.
I decided to run a quick portscan over my network to my PhOS system and see what results we could get.
With xitami running for HTTP
$ portscanner -attackopen -violent 192.168.1.100
/bin/portscanner Version 1.2g
(C) JDG-looncraz, 2003
|
| Scanning 192.168.1.100
| Found Open Port: 80
| Attacking 192.168.1.100:80 ( 50 attacks )
| Scanning…
| Attack failed! Trying more violently…
| Scanning…
| Attack succeeded!
| The remote application serving 192.168.1.100:80
| should have been successfully hijacked.
| Continuing port scan…
| No More Open Ports!
$
As we can see, hacking in depends on the ports being open, which means some app is listening. It could be the kernel. ( Oh, one note, even though it says ‘hijacked’ the portscanner does not hijack yet, which is why it says ‘should’ ).
Okay, now a run with no services on:
$ portscanner -attackopen -violent 192.168.1.100
/bin/portscanner Version 1.2g
(C) JDG-looncraz, 2003
|
| Scanning 192.168.1.100
| Scanning…
| Impossible to navigate IP address.
| Please make sure the IP address is correct, this
| is likely only to occur when the device at the
| IP address given has entered full lockdown or is
| running advanced firewall software.
$
A lot different.
Now, against Windows ( XP, default install, no firewall , no network services installed and only TCP/IP protocol )
$ portscanner -invadelist -mappedonly 192.168.1.104
/bin/portscanner Version 1.2g
(C) JDG-looncraz, 2003
|
| Scanning 192.168.1.104
| Found Unknown Windows, no firewall.
| Scanning…
| Found 12 Open ports!
| 4 Mapped for invasion.
| Remote Procedure Call, Alerter, Windows Update,
| MSN Messenger
| Print only, no invasion.
$
With the Windows Firewall on, you have to use a Windows Firewall exploit to get through. I haven’t updated the app in years, so I haven’t exploited any of them yet so that I can have the firewall on and use my network mass storage at the same time ( spanning storage needs across many machines silently ), but I am confident that the hardware firewalls I have do their trick
Oh well, just a little FYI w/ my $0.02.
–The loon
It can be shown that all operating systems not based on orthogonal persistence and capabilities are inherently unsafe.
http://www.eros-os.org/essays/capintro.html
“orthogonal persistence”
Fleecy, is that you?
http://www.osnews.com/comment.php?news_id=4077&offset=30&rows=34&th…
Uuu ftw!
I’ll tell you what it is. It is this: In Germany, where Magnus is based, there are recent attempts by the authorities to push for legislation that would allow them to remotely investigate a user’s PC without him realising. Now, I am sure that all you bunch got the coolest firewalls, BSD-boxes, bla-bla-bla.. that will never be cracked. However, this is not true for 99% of the population. So, any such tool for remote access will be geared towards stock Windows installations, in any event, they will not develop a version of the software for QNX, Plan9 and Zeta for the 5 remaining users that are out there.
In that light, with the current discussion going on, they probably “rightly” claim that the system is save by design with view to examining it from the outside. It is a mild regional marketing claim, so don’t even jump on to it – it certainly hasn’t got anything to do with security “features” (without having read the link – I don’t have to read it where BeOS and security appears in the same sentence, as everybody here seems to agree).
I could never trust a closed source OS with security. What, I’m going to trust magnussoft or Be Inc or Apple just because they aren’t Microsoft????
Fortunately open source not only has the theoretical advantage of lots of people looking for bugs. Klocwork says they give free analysis of open source software. http://www.klocwork.com
For closed source it costs several thousand dollars.